2014-12-07 19:34:53 -0800, Linda Walsh: [...] > Stephane Chazelas wrote: > > declare -l a="$external_input" > > > >he's entitled to expect $a to contain the lower case version of > >$external_input whatever $external_input contain. > --- > Only if you properly quote "external input". > > If you properly quote the external input I don't see the problem: > > Does this example demonstrate your setup? > > >declare -a a=(1 2 3) > >b='($(echo FOO))' > >printf -v qb "%q" "$b" # here must quote the raw 'external input' string > >declare -l a=$qb # redefining 'a' to be lower case > >read c <<<$a # read the quoted value printf "%s\n" > >"$c" > ($(echo foo)) # no execution -- just the case lowering you want > > Am I missing something?
I think you're missing my point. I'm saying that if a script writer writes: declare a="$b" intending to declare the *scalar* varible "$a" as a copy of the scalar variable "$b" (and remember that in ksh/bash, scalar variables and arrays are not very differentiated, $a being ${a[0]}), and overlooked (or is not aware of (because that was done by 3rd party code for instance)) the fact that the variable was used as an array before (for instance because he used a[0]=foo instead of a=foo for instance), then: - it will work in most of the cases (and that's one aspect why it's dangerous, because it's hard to detect). - but you've got a code injection vulnerability (in the very special case where $b starts with "(". - for no good reason. See ksh for a better syntax that doesn't have the issue. - and it's not consistent when the same assignment is done without "declare" (and no, I don't agree "declare" is a mere builtin as it's already parsed halfway between a builtin and an assignment). Now, if the script writer intends to make the *array* variable $a a copy (well potentially changing the indices) of $b, he would simply write: declare -la a=("${b[@]}") I certainly don't expect him to have to resort to `printf %q` here for that. -- Stephane