[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Is this exploitable?
From: |
Jon Seymour |
Subject: |
Is this exploitable? |
Date: |
Mon, 11 May 2009 10:35:18 +1000 |
I am trying to parse untrusted strings and represent in a form that
would be safe to execute.
So assuming as-echo.sh defined as below for example:
cmd="echo"
for a in "$@"
do
cmd="$cmd '${a/\'/''}'"
done
echo "$cmd"
eval "$cmd"
Then:
as-echo.sh 'a' '$(foobar)' 'c'
would produce:
echo 'a' '$b' 'c'
a $b c
Is my code safe, or can someone maliciously choose arguments to
as-echo.sh that could cause it (as-echo.sh) to do something other than
write to stdout?
Can anyone point me to best practice for this kind of protection in bash?
jon.
- Is this exploitable?,
Jon Seymour <=