[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: declare a="$b" if $a previously set as array

From: Linda Walsh
Subject: Re: declare a="$b" if $a previously set as array
Date: Mon, 08 Dec 2014 12:48:05 -0800
User-agent: Thunderbird

Stephane Chazelas wrote:
2014-12-07 19:34:53 -0800, Linda Walsh:
Stephane Chazelas wrote:
  declare -l a="$external_input"

he's entitled to expect $a to contain the lower case version of
$external_input whatever $external_input contain.
Only if you properly quote "external input".

If you properly quote the external input I don't see the problem:

Does this example demonstrate your setup?

declare -a a=(1 2 3)
b='($(echo FOO))'
printf -v qb "%q" "$b"    # here must quote the raw 'external input' string
declare -l a=$qb          # redefining 'a' to be lower case
read c <<<$a              # read the quoted value printf "%s\n"
($(echo foo))               # no execution -- just the case lowering you want

Am I missing something?

I think you're missing my point.

I'm saying that if a script writer writes:

    declare a="$b"

intending to declare the *scalar* varible "$a" as a copy of the
scalar variable "$b"
        How does the script writer **KNOW** $a and $b are scalar?

        I'm using 'a=fmt' and 'b=out' for clarity in my example
but say I want to insert a line to print the current UID/EUID/time & hostname:


### add lowercase info line of currently executing user:

unset fmt out
declare -x fmt='($(echo uid:$UID) $(echo euid:$EUID) $(date) $(uname -n))'
declare -a out
declare -l out=$fmt
echo "address@hidden"
sudo bash --norc -c 'declare -a out;declare -l out=$fmt; echo "address@hidden"'

Run that and you get:

   out=uid:5013 euid:5013 mon dec 8 12:39:06 pst 2014 ishtar
   out=uid:0 euid:0 mon dec 8 12:39:06 pst 2014 ishtar

All of the terms are evaluated at the time of final execution.

--- This usage ***depends*** on delayed evaluation -- which you
claim is "code injection".   This is the way shell is supposed to
operate.  The programmer ***HAS*** to choose when to cause the expression
to be evaluated depending on their need.

They need to ensure inputs are clean.

You may not like that programmers have to deal with such, and if it bothers
you enough, go to a more encapsulated language and environment (java, javascript, perl (has tainting tracking to help w/this), et al). But whatever the language, they all still have problems -- but at least are designed with more protection
from their beginnings.

Shell wasn't.  It was a way to run commands and allow
for variable and powerful behaviors based on quoting and substitution rules.

How would you address your problem w/o affecting programs like the above?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]