Re: [Help-bash] avoiding shell variable expansion

[Andy Chu]

By the way, my blog post also covers how you splice one array into the
other, which covers that common case:

user_array=(some '*' untrusted data '*')

my_prefix=(ls -l --)

Then you can do:

"${my_prefix[@]}" "${user_array[@]}"

Or you if you want to store it in another array, do:

mycmd=("${my_prefix[@]}" "${user_array[@]}")

and execute it later:

"${mycmd[@]}"


Andy



On Thu, Oct 3, 2019 at 10:09 PM Andy Chu <address@hidden> wrote:

>
>
> On Thu, Oct 3, 2019 at 8:43 PM Dmitry Alexandrov <address@hidden> wrote:
>
>> Andy Chu <address@hidden> wrote:
>> > On Thu, Oct 3, 2019 at 3:07 PM Greg Silverman <
>> address@hidden>
>> > wrote:
>> >> In Python one can spawn a child process and avoid bash expanding
>> command line arguments, e.g.
>> >>
>> >> //file: ls.py import subprocess proc =
>> subprocess.Popen(['/bin/ls','*'],shell=False)
>> >
>> > Simplest way:
>> > $ mycmd=(ls '*')
>> > $ "${mycmd[@]}"
>> > ls: cannot access '*': No such file or directory
>>
>> Why the array?  ¿Is not this exactly the same as:
>>
>>         $ ls '*'
>>
>
> It is exactly the same, except that the argv array is in data, not in
> source code.
>
> When someone's asking about "code injection", they're asking about
> processing data from elsewhere.  So the command isn't written literally in
> the source, but read from somewhere else.
>
> Of course I wrote the array in the source code, and maybe that's the
> confusion.  But the array can come from anywhere, or more likely it's a
> PART of the array that comes from somewhere, and another part is written in
> the script.
>
> Also, I should mention that there are all sorts of reasons besides shell
> code injection that this might not be safe (e.g. what commands can be
> run?), but that's beyond the scope of the question ...
>
> Andy
>
>
>