[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] use variable as array name
|
From: |
Greg Wooledge |
|
Subject: |
Re: [Help-bash] use variable as array name |
|
Date: |
Mon, 5 Jan 2015 08:45:41 -0500 |
|
User-agent: |
Mutt/1.4.2.3i |
On Sat, Jan 03, 2015 at 08:36:56PM -0800, Eduardo A. Bustamante López wrote:
> The tricky part of indirection is combining the array indirection with the
> ${#length} parameter expansion.
No, the tricky part of indirection with arrays is avoiding code injection
exploits. The only way you can do indirection with arrays is with eval,
or with constructs that are just eval in disguise (like Bash's declare -n
syntax).
imadev:~$ f() { declare -n ref="$1"; echo "$ref"; }
imadev:~$ a=(grape banana cherry)
imadev:~$ f 'a[i=0$(date >&2)]'
Mon Jan 5 08:35:40 EST 2015
grape
In order to do this safely, you have to validate the input before letting
declare -n see it.
imadev:~$ f() {
> if [[ $1 != [A-Za-z_]*([A-Za-z0-9_]) ]]; then echo "Nice try" >&2; return 1;
> fi
> declare -n ref="$1"; echo "$ref"
> }
imadev:~$ f 'a[i=0$(date >&2)]'
Nice try
And now I can't even remember whether bash's [[ command uses the C locale
for A-Z ranges, or the user's locale. If it's the user's locale then
this has ANOTHER vulnerability. :(