[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] safe parsing of configuration files?
|
From: |
adrelanos |
|
Subject: |
Re: [Help-bash] safe parsing of configuration files? |
|
Date: |
Sat, 04 May 2013 22:11:26 +0000 |
Jerry:
> On Sat, 04 May 2013 21:08:31 +0000
> adrelanos articulated:
>
>> Hi!
>>
>> Is there a bulletproof way to parse configuration files using bash?
>>
>> Layout:
>>
>> (spaces)
>>
>> # comments...
>> var1="something"
>>
>> # more comments...
>>
>> var2="something else"
>>
>> var3="Some
>>
>> plain text
>>
>> also includes spaces and empty lines
>> ..."
>>
>> (spaces)
>>
>> How can I read an untrusted config file while preventing all kinds of
>> code execution from it?
>>
>> Most competent on that question appeared:
>> http://wiki.bash-hackers.org/howto/conffile
>>
>> "This filter only allows NAME=VALUE and comments in the file, though
>> it doesn't prevent all methods of executing code. I will address that
>> later." - This later never happened or I failed to find it.
>
> I have been using this func
>
> I have been using this function for a few years now in a few scripts
> that I maintain. So far, it seems to be working quite well.
>
> function readconf () {
> while read line; do
> # skip comments
> [[ ${line:0:1} == "#" ]] && continue
> # skip empty lines
> [[ -z "${line}" ]] && continue
> eval ${line}
> done < "${CONFIG_FILE}"
> }
Unfortunately, it doesn't prevent code execution.
testvariable="$(which mkdir)"
testvariable will become "/bin/mkdir".
Essentially, I just want to set variables, without evaling any other
commands.