|
|
|
|
|
|
by gdb
5017 days ago
|
|
|
You shouldn't have to sanitize if you quote your variables properly. If general, the rules for "$foo" are "parse first, expand afterwards" while those for $foo are "parse, expand, parse again", so foo="hello world"
echo $foo # prints "hello world" [2 arguments]
echo "$foo" # prints "hello world" [1 argument]
Note that you can't trivially inject a command this way, though you can inject arbitrary arguments: foo="; ls"
echo $foo # prints "; ls"
I would recommend never using test ([) with more than three arguments. Once you start doing -a and -o, then people can inject confusing values for variables, making it impossible to parse: foo='!'
bar='2'
[ "$foo" = 1 -a "$bar" = 2 ] # -bash: [: too many arguments
Since test runs a subprocess, it can't tell the difference between data and arguments. Instead, you should do something like this: foo='!'
bar='2'
[ "$foo" = 1 ] && [ "$bar" = 2 ]
(This also has the advantage of being way more legible.) |
|
|