On Tuesday, April 15, 2014 05:46:07 PM Ralf Goertz wrote: > I am not the OP but on OpenSuse 13.1 I have > > $ type dequote > dequote is a function > dequote () > { > eval printf %s "$1" 2> /dev/null > }
If you're already aware, for the benefit of others, that's a very dangerous function. The right argument allows arbitrary code execution if it contains e.g. a semicolon to delimit a new command. "dequote" is a deceptive name there. I hope that isn't some distro's default bashrc. $ ( evil() { echo "evil here"; }; dequote() { eval printf %s "$1" 2> /dev/null; }; set -x; dequote "; evil" ) + dequote '; evil' + eval printf %s '; evil' evil here -- Dan Douglas