help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] avoiding shell variable expansion

From: Andreas Kusalananda Kähäri
Subject: Re: [Help-bash] avoiding shell variable expansion
Date: Fri, 4 Oct 2019 08:46:48 +0200
User-agent: Mutt/1.12.2 (2019-09-21) 
On Thu, Oct 03, 2019 at 07:47:42PM +0000, Greg Silverman wrote:
> In Python one  can spawn a child process and avoid bash expanding command 
> line arguments, e.g.
> 
> //file: ls.py
> import subprocess
> proc = subprocess.Popen(['/bin/ls','*'],shell=False)
> 
> then
> ./ls.py
> /bin/ls: cannot access '*': No such file or directory
> 
> As the shell argument is set to False, the ls command is not passed to bash 
> before being executed and the star is not expanded to ${PWD}.
> 
> Is there a way to launch a command from a bash script which, also, avoids 
> shell expansion? This question is for security, to avoid code injection.

Is it "set -f" ("set -o noglob") you're after?  This would not disable
expansions, but would disable filename generation ("globbing"), which
seems to be the feature you're concerned about in your Python example.

    $ touch file
    $ ls *
    file
    $ set -f
    $ ls *
    ls: *: No such file or directory

Use "set +f" ("set +o noglob") to turn on globbing again.

Also note that * would not never expand to $PWD but to the visible names
in the current directory (this may have been what you meant).

Regards,
Kusalananda
reply via email to
[Prev in Thread] Current Thread [Next in Thread]