[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] use variable as array name

From: Greg Wooledge
Subject: Re: [Help-bash] use variable as array name
Date: Mon, 5 Jan 2015 08:45:41 -0500
User-agent: Mutt/

On Sat, Jan 03, 2015 at 08:36:56PM -0800, Eduardo A. Bustamante López wrote:
> The tricky part of indirection is combining the array indirection with the
> ${#length} parameter expansion.

No, the tricky part of indirection with arrays is avoiding code injection
exploits.  The only way you can do indirection with arrays is with eval,
or with constructs that are just eval in disguise (like Bash's declare -n

imadev:~$ f() { declare -n ref="$1"; echo "$ref"; }
imadev:~$ a=(grape banana cherry)
imadev:~$ f 'a[i=0$(date >&2)]'
Mon Jan  5 08:35:40 EST 2015

In order to do this safely, you have to validate the input before letting
declare -n see it.

imadev:~$ f() { 
> if [[ $1 != [A-Za-z_]*([A-Za-z0-9_]) ]]; then echo "Nice try" >&2; return 1; 
> fi
> declare -n ref="$1"; echo "$ref" 
> }
imadev:~$ f 'a[i=0$(date >&2)]'
Nice try

And now I can't even remember whether bash's [[ command uses the C locale
for A-Z ranges, or the user's locale.  If it's the user's locale then
this has ANOTHER vulnerability. :(

reply via email to

[Prev in Thread] Current Thread [Next in Thread]