[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Execution of a data string
|
From: |
Reuti |
|
Subject: |
Re: Execution of a data string |
|
Date: |
Thu, 22 Sep 2016 16:45:28 +0200 |
> Am 22.09.2016 um 15:23 schrieb Greg Wooledge <wooledg@eeg.ccf.org>:
>
> On Wed, Sep 21, 2016 at 11:15:45PM -0400, mobatuorg@yahoo.ca wrote:
>> In Summary:
>>
>> declare -a "$string" # results in execution of $string
>> declare -a a=($string) # does not result in execution of $string
>
> This is why you don't use the first form. It's the same with eval --
> if you don't have full control over the statement being eval'ed, then
> you risk undesired code execution.
Even without `eval` it's dangerous, i.e. specifying solely $ExecuteThisData on
the command line.
-- Reuti
> Your second form also has some issues. The contents of $string will
> undergo word splitting and then pathname expansion (globbing). This could
> cause unexpected results if any of the words expands to a glob pattern
> which matches actual files. If you want to split a string into an array,
> this is safer as long as the string does not contain any newlines:
>
> read -ra a <<< "$string"
>
> If the string contains newlines, then:
>
> read -rd '' -a a <<< "$string"
>
> Of course, this read command will always exit with status "1" because
> it never finds a NUL byte. That's only a problem if you use set -e,
> which of course no sane person should be doing....
>