[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tokenize honoring quotes
|
From: |
Chet Ramey |
|
Subject: |
Re: tokenize honoring quotes |
|
Date: |
Fri, 5 Aug 2022 16:04:55 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 |
On 8/5/22 3:54 PM, Robert E. Griffith wrote:
Boy, eval quoting kind of bends my mind. When I first looked at it I
thought "that cant be right" but now I see it. What if I need to avoid
arbitrary code execution like ..
str='echo "hello $(ls >/dev/tty) World"'
Is there anything without using eval? I played around with passing it
through printf's %q but that renders the whole string escaped so it become
just one token again.
If you want quoting to be honored, you have to run the string through the
shell parser again. Part of doing it this way means you're going to have to
run the string through word expansion (there's no getting around that; each
word in a compound array assignment is expanded). If you know more about
the input, you'll have to quote it yourself.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/