[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Execution of a data string

From: Reuti
Subject: Re: Execution of a data string
Date: Thu, 22 Sep 2016 16:45:28 +0200

> Am 22.09.2016 um 15:23 schrieb Greg Wooledge <address@hidden>:
> On Wed, Sep 21, 2016 at 11:15:45PM -0400, address@hidden wrote:
>> In Summary:
>> declare -a "$string"       # results in execution of $string
>> declare -a a=($string)    # does not result in execution of $string
> This is why you don't use the first form.  It's the same with eval --
> if you don't have full control over the statement being eval'ed, then
> you risk undesired code execution.

Even without `eval` it's dangerous, i.e. specifying solely $ExecuteThisData on 
the command line.

-- Reuti

> Your second form also has some issues.  The contents of $string will
> undergo word splitting and then pathname expansion (globbing).  This could
> cause unexpected results if any of the words expands to a glob pattern
> which matches actual files.  If you want to split a string into an array,
> this is safer as long as the string does not contain any newlines:
> read -ra a <<< "$string"
> If the string contains newlines, then:
> read -rd '' -a a <<< "$string"
> Of course, this read command will always exit with status "1" because
> it never finds a NUL byte.  That's only a problem if you use set -e,
> which of course no sane person should be doing....

reply via email to

[Prev in Thread] Current Thread [Next in Thread]