[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple prob?

From: Greg Wooledge
Subject: Re: simple prob?
Date: Tue, 29 Jun 2021 18:49:38 -0400

On Tue, Jun 29, 2021 at 02:58:28PM -0700, L A Walsh wrote:
> njobs() { printf ${1:+-v $1} "%s\n" "$(jobs |wc -l)"; }
> Using that with your input:
> njobs 'x[0$(date >&2)]'
> bash: printf: `x[0$(date': not a valid identifier

This is because you didn't quote "$1".  Since you only ever tested
the cases where $1 was a valid variable name, you never ran into that
particular result... until now.

As you can see, the unquoted $1 underwent word splitting, so you're
effectively running printf -v 'x[0$(date' '>&2)]' '%s\n' "...".

This won't protect against all code injections, of course; only the
ones that contain a whitespace character.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]