help-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] avoiding shell variable expansion

From: Dmitry Alexandrov
Subject: Re: [Help-bash] avoiding shell variable expansion
Date: Fri, 04 Oct 2019 08:45:10 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) 
Andy Chu <address@hidden> wrote:
> On Thu, Oct 3, 2019 at 8:43 PM Dmitry Alexandrov <address@hidden> wrote:
>> Andy Chu <address@hidden> wrote:
>> > On Thu, Oct 3, 2019 at 3:07 PM Greg Silverman <
>> address@hidden>
>> > wrote:
>> >> In Python one can spawn a child process and avoid bash expanding
>> command line arguments, e.g.
>> >>
>> >> //file: ls.py import subprocess proc =
>> subprocess.Popen(['/bin/ls','*'],shell=False)
>> >
>> > Simplest way:
>> > $ mycmd=(ls '*')
>> > $ "${mycmd[@]}"
>> > ls: cannot access '*': No such file or directory
>>
>> Why the array?  ¿Is not this exactly the same as:
>>
>>         $ ls '*'
>
> It is exactly the same, except that the argv array is in data, not in source 
> code.
>
> When someone's asking about "code injection", they're asking about processing 
> data from elsewhere.  So the command isn't written literally in the source, 
> but read from somewhere else.

It’s not an answer at all then: putting a command into array does _not_ 
sanitize it.

> Of course I wrote the array in the source code, and maybe that's the 
> confusion.  But the array can come from anywhere, or more likely it's a PART 
> of the array that comes from somewhere, and another part is written in the 
> script.

Well, I believe it better to ask Greg Silverman to clarify the task he’s 
solving, instead of trying to guess what do he actually want.

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]