Re: simple prob?

[L A Walsh]

On 2021/06/29 16:51, Greg Wooledge wrote:
> On Tue, Jun 29, 2021 at 04:29:05PM -0700, L A Walsh wrote:
>   
> > > > njobs() { printf ${1:+-v $1} "%s\n" "$(jobs |wc -l)"; }
> > > >         
>
>   
> >    Which is detected as "illegal input" and disallowed.  If you don't enable
> > some security errors, they can't be as easily introduced.
> >     
>
> Are you *still* insisting that your failure to quote is a SECURITY
> FEATURE?
>
> Come *on*!
>   
----
   In this case, not quoting was deliberately intended as variable
names wouldn't need it.  Any security consideration was purely
secondary.  I'm an avid quoter where it is needed, but I no longer
quote for the sake of quoting as I once did.  In a similar manner
I try to not overuse parentheses, just for the sake of it.

   As I stated before, my scripts are most often for myself.  If I needed
security, I'd probably write in a compiled language rather than a
scripting one.
> unicorn:~$ njobs() { printf ${1:+-v $1} "%s\n" "$(jobs |wc -l)"; }
> unicorn:~$ njobs 'x[0$(date>&2)]'
> Tue Jun 29 19:49:16 EDT 2021
>
> All I had to do was remove the space.  You're not even trying.
>
> Your failure to quote is simply a failure.  If you want to prevent
> code injection attacks, you need to sanity-check the input.
>
> There is no other way.
>
>