Re: [Help-bash] avoiding shell variable expansion

[Eli Schwartz]

On 10/4/19 2:29 AM, Andy Chu wrote:
> He didn't ask about sanitizing a shell string.  He asked about avoiding
> shell expansion.  You misread the question, not me.

Then you misread the question even worse.

I'm confused why you think copying a shell variable into another shell
variable (or even an array) is any better of an answer.

In order to "1. Store the command in an array.  Quote each arg
properly." you would need to assume the data is being stored in a bash
file which is being sourced.

It's quite plausible to consider your own code with static content to be
a source of shell injection, due to e.g. executing a filename as code.
The given example asked "how to suppress expansion of the asterisk",
which does not require storing and evaluating external user data.

-- 
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User

signature.asc
Description: OpenPGP digital signature