help-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] safe parsing of configuration files?


From: adrelanos
Subject: Re: [Help-bash] safe parsing of configuration files?
Date: Sat, 04 May 2013 22:11:26 +0000

Jerry:
> On Sat, 04 May 2013 21:08:31 +0000
> adrelanos articulated:
> 
>> Hi!
>>
>> Is there a bulletproof way to parse configuration files using bash?
>>
>> Layout:
>>
>> (spaces)
>>
>>    # comments...
>>    var1="something"
>>
>>    # more comments...
>>
>>    var2="something else"
>>
>>    var3="Some
>>
>> plain text
>>
>> also includes spaces and empty lines
>> ..."
>>
>> (spaces)
>>
>> How can I read an untrusted config file while preventing all kinds of
>> code execution from it?
>>
>> Most competent on that question appeared:
>> http://wiki.bash-hackers.org/howto/conffile
>>
>> "This filter only allows NAME=VALUE and comments in the file, though
>> it doesn't prevent all methods of executing code. I will address that
>> later." - This later never happened or I failed to find it.
> 
> I have been using this func
> 
> I have been using this function for a few years now in a few scripts
> that I maintain. So far, it seems to be working quite well.
> 
> function readconf () {
> while read line; do
> # skip comments
>   [[ ${line:0:1} == "#" ]] && continue
> # skip empty lines
>   [[ -z "${line}" ]] && continue
>   eval ${line}
> done < "${CONFIG_FILE}"
> }

Unfortunately, it doesn't prevent code execution.

testvariable="$(which mkdir)"

testvariable will become "/bin/mkdir".

Essentially, I just want to set variables, without evaling any other
commands.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]