Re: Arbitrary command execution from test on a quoted string

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary command execution from test on a quoted string

From:	felix
Subject:	Re: Arbitrary command execution from test on a quoted string
Date:	Sun, 31 Oct 2021 09:05:22 +0100

Unfortunely, this won't be useable with associative array, like:

   declare -A AssocVar='([Some string.]=foo)'
   test -v AssocVar['Some string.'] && echo yes || echo no
   yes
   isvar AssocVar['Some string.']  && echo yes || echo no
   no

But Lea's solution seem work:

   test "${AssocVar['Some string.']@Q}"  && echo yes || echo no
   yes

Even with empty variables:

   declare -A AssocVar='([Some string.]=)'
   test "${AssocVar['Some string.']@Q}"  && echo yes || echo no
   yes
   test "${AssocVar['Some other string?']@Q}"  && echo yes || echo no
   no

Le Fri, Oct 29, 2021 at 07:54:17AM -0400, Greg Wooledge a écrit :
> On Fri, Oct 29, 2021 at 07:37:13AM +0200, Léa Gris wrote:
> > A safe way to replace:
> > test -v "$USER_INPUT"
> > 
> > Would be:
> > test "${USER_INPUT@Q}"
> > 
> > But it is not backward-compatible with older bash versions.
> 
> test -v is fairly recent as well.  That was introduced in 4.2, and the @Q
> syntax in 4.4.
> 
> I would suggest a three-step validation:
> 
> isvar() {
>   [[ $1 = LC_ALL ]] && { test -v "$1"; return; }
> 
>   local LC_ALL=C
>   [[ $1 = [a-zA-Z_]*([a-zA-Z0-9_]) ]] || return 1
> 
>   test -v "$1"
> }

-- 
 Félix Hauri  -  <felix@f-hauri.ch>  -  http://www.f-hauri.ch

[Prev in Thread]

Current Thread

[Next in Thread]

Arbitrary command execution from test on a quoted string, elettrino, 2021/10/28
- Re: Arbitrary command execution from test on a quoted string, Kerin Millar, 2021/10/28
- Re: Arbitrary command execution from test on a quoted string, Greg Wooledge, 2021/10/28
  - Re: Arbitrary command execution from test on a quoted string, Léa Gris, 2021/10/29
    - Re: Arbitrary command execution from test on a quoted string, Greg Wooledge, 2021/10/29
    - Re: Arbitrary command execution from test on a quoted string, felix <=
    - Re: Arbitrary command execution from test on a quoted string, Greg Wooledge, 2021/10/31
- Re: Arbitrary command execution from test on a quoted string, Ilkka Virta, 2021/10/29
  - Re: Arbitrary command execution from test on a quoted string, Greg Wooledge, 2021/10/29
    - Re: Arbitrary command execution in shell - by design!, L A Walsh, 2021/10/29
    - Re: Arbitrary command execution in shell - by design!, Greg Wooledge, 2021/10/29
    - Re: Arbitrary command execution in shell - by design!, Léa Gris, 2021/10/29
    - Re: Arbitrary command execution in shell - by design!, L A Walsh, 2021/10/30
    - Re: Arbitrary command execution in shell - by design!, Léa Gris, 2021/10/30
    - Re: Arbitrary command execution in shell - by design!, Ángel, 2021/10/30
    - Re: Arbitrary command execution in shell - by design!, Robert Elz, 2021/10/29

Prev by Date: Re: Why should `break' and `continue' in functions not break loops running outside of the function?
Next by Date: Re: hash not restored after running command -p
Previous by thread: Re: Arbitrary command execution from test on a quoted string
Next by thread: Re: Arbitrary command execution from test on a quoted string
Index(es):
- Date
- Thread