Shell Programming and Scripting

Let's try to be mor specific. It's interesting, I'm curious about it.

The only way I'm able to think of is that of a parameter automatically built reading things (maliciously writable by others). For example, let's say I want to discard all files having the same extension of the files in the current directory.

Code:

lem@biggy:/tmp/dir$ ls -a1
.
..
a.txt
b.sh
c.pdf
malicious.; ls ~

Code:

lem@biggy:/tmp/dir$ for a in *.* ; do arr+=( "-not -name \*.${a##*.}" ) ; done

Code:

lem@biggy:/tmp/dir$ echo ${arr[@]}
-not -name \*.txt -not -name \*.sh -not -name \*.pdf -not -name \*.; ls ~

Code:

lem@biggy:/tmp/dir$ eval find /path ${arr[@]}
 ... funny output with ls, disaster with rm ...

So is this what you're fearing? Are there other noticeable and completely different dangers? Thanks.
--
Bye

How about a file named `rm -Rf ~/` ? That's a perfectly valid filename. Feed that filename into an eval and it will be executed.

If you quote it defensively, so what? They can put quotes and spaces in the filename to unquote it.

It needn't even be malicious. People can generate weird filenames by accident sometimes, and anything resembling shell syntax is something eval will try to parse, potentially causing syntax errors or worse. Eval can parse any shell syntax, so the only limit is your imagination.

And it's completely avoidable. Eval is not needed here.

I changed my code as follows

Code:

#!/bin/ksh

set -- "-not" "-name" "*.xom" "-a" "-not" "-name" "*.sh" "-a" "-not" "-name" "*.pl"

/usr/local/bin/find path/to/files $@ > FileList.txt

It is working beautifully and it sounds like it will be much safer to run. Thanks for your help.