help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] avoiding shell variable expansion

From: Andy Chu
Subject: Re: [Help-bash] avoiding shell variable expansion
Date: Thu, 3 Oct 2019 22:09:51 -0700 
On Thu, Oct 3, 2019 at 8:43 PM Dmitry Alexandrov <address@hidden> wrote:

> Andy Chu <address@hidden> wrote:
> > On Thu, Oct 3, 2019 at 3:07 PM Greg Silverman <
> address@hidden>
> > wrote:
> >> In Python one can spawn a child process and avoid bash expanding
> command line arguments, e.g.
> >>
> >> //file: ls.py import subprocess proc =
> subprocess.Popen(['/bin/ls','*'],shell=False)
> >
> > Simplest way:
> > $ mycmd=(ls '*')
> > $ "${mycmd[@]}"
> > ls: cannot access '*': No such file or directory
>
> Why the array?  ¿Is not this exactly the same as:
>
>         $ ls '*'
>

It is exactly the same, except that the argv array is in data, not in
source code.

When someone's asking about "code injection", they're asking about
processing data from elsewhere.  So the command isn't written literally in
the source, but read from somewhere else.

Of course I wrote the array in the source code, and maybe that's the
confusion.  But the array can come from anywhere, or more likely it's a
PART of the array that comes from somewhere, and another part is written in
the script.

Also, I should mention that there are all sorts of reasons besides shell
code injection that this might not be safe (e.g. what commands can be
run?), but that's beyond the scope of the question ...

Andy
reply via email to
[Prev in Thread] Current Thread [Next in Thread]