Visit The New, Modern Unix Linux Community


Safe way to eval variable declarations?


 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Safe way to eval variable declarations?
# 1  
Safe way to eval variable declarations?

Is there a safe way to evaluate variable declarations within a script whether they come from a .conf file, user input, or stdin?

Example .conf file:
Code:
server=ftp.xxxx.com
port=21
user="$USER"                 # Hopefully allow this type of substitution
domain="$DOMAIN"
server="$(malicious code)"   #prevent this!

Mike
# 2  
The only safe way for an open entry point into your code is to state and then test ONLY what you will allow.
Blocking what you will not allow is impossible, logically, because the number of wrong or potentially bad inputs is infinite.

Create a list of what is allowed. Check to see that your entry is in there:
Simple minded example, /etc/passwd is the list of allowed users and has : as a field separator; username is field #1, hence the printf format "%s:"
Code:
testvar=$(printf "%s:" $user)
grep -Fq "$testvar" /etc/passwd
[ $? -ne 0 ] && exit 1

# 3  
I'd suggest not using eval at all, just code your own allowed expansions e.g.:

Code:
expand='$RANDOM'
[ ${expand:0:1} = "$" ] && {
   expand=${expand:1}
   expand=${!expand}
}

So here we support $var and not $(command)
This User Gave Thanks to Chubler_XL For This Post:
# 4  
Quote:
Originally Posted by Chubler_XL
I'd suggest not using eval at all, just code your own allowed expansions e.g.:

Code:
expand='$RANDOM'
[ ${expand:0:1} = "$" ] && {
   expand=${expand:1}
   expand=${!expand}
}

So here we support $var and not $(command)
OK, so I understand what expand=${expand:1} is doing (cannot do anything but manipulate variable in variable substitution), but what does expand=${!expand} do?

Mike
# 5  
It gets the value of the variable "expand" and treats this as a variable name and the fetches its value.

So
Code:
$ t=5
$ x=t
$ y=x
$ echo ${!x}
5
$ echo ${!y}
t

This User Gave Thanks to Chubler_XL For This Post:

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #369
Difficulty: Medium
The name bytecode originates from instruction sets that have zero-byte opcodes followed by optional parameters.
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

'eval' used in variable assignment

pattern1=book { x=1 eval echo \$pattern$x } book (this is the output) But when I assign a variable to the output of the eval it doesn't work unless I prefix 2 times backslash before $ as shown below. { a=`eval echo \\$pattern$x` echo $a } book Why here twice "\" has to be... (3 Replies)
Discussion started by: ravisingh
3 Replies

2. Shell Programming and Scripting

assign multiple rows value to a variable using eval

background : Solaris, ksh metresult="ooo > pp" ts=89 eval append_${ts}="$metresult" bash: pp: command not found I want to create a variable which has in a part of its name a dynamically-established number (stored in another variable) usually I do this with eval command. The problem I... (5 Replies)
Discussion started by: black_fender
5 Replies

3. UNIX for Advanced & Expert Users

Variable assignments specified with eval shell built-in

According to the POSIX specifications eval is a special shell built-in, which should imply that variable assignments specified together with it should remain in effect after the built-in completes. Thus one would expect IFS to be changed after this: var=$'a\nb c' $ IFS=$'\n' eval ' for i in... (4 Replies)
Discussion started by: Scrutinizer
4 Replies

4. Shell Programming and Scripting

assignment to variable from eval command

Hi Gurus, I am having 2 parameters as below parm1=value1 parm2=parm1 I want to evaluate parm1 value using eval echo \$$parm2 and later i want to assign this value to other variable which i will be using in if statement like : if ]; then do this....... fi could you please suggest... (5 Replies)
Discussion started by: k_vikash
5 Replies

5. Shell Programming and Scripting

eval and variable assignment

Hi, i have an issue with eval and variable assignment. 1) i have a date value in a variable and that date is part of a filename, var1=20100331 file1=${var1}-D1-0092.xml.zip file2=${var2}-D2-0092.xml.zip file3=${var3}-D3-0092.xml.zip i am passing the above variables to a script via... (11 Replies)
Discussion started by: mohanpadamata
11 Replies

6. Shell Programming and Scripting

Help with eval usage for string containing Environment Variable

Help !! First, Thanks in Advance Here is what I have I have an environment Variable, let's call it v_VALUE. v_VALUE="\$ORACLE_HOME/bin" Hence, the location is ORACLE_HOME is not evaluated. ORACLE_HOME happens to be /app/oracle/product/10.1.2 I need a method of returning the... (1 Reply)
Discussion started by: dhangliter
1 Replies

7. Shell Programming and Scripting

Passing eval value to a variable

Hello, I have a script that does an scp to a server and then gets the number of process running on that server, the o/P should be stored in a variable for further processing eval `echo "ssh -q $Infa_user@$host 'csh -c $CMD '"` where CMD="ps -ef | grep -i ${INFA_REPO} | grep -v grep | wc... (2 Replies)
Discussion started by: amit1_x
2 Replies

8. Shell Programming and Scripting

bin/sh eval variable assignment

Why can't I do this? eval "TEST=5;echo $TEST;"; THIS WORKS!! TEST=5;echo $TEST; (2 Replies)
Discussion started by: blasto333
2 Replies

9. Shell Programming and Scripting

How to assign eval value as Variable..

Im facing problem in assigning value of eval array variable as normal variable.. x=0 eval DATA${x}="FJSVcpcu" x=`expr $x + 1` eval DATA${x}="FJSVcsr" if x=0, type -> eval echo \$DATA$x , its give me FJSVcpcu i want assign this value into an variable as variable=`eval echo... (3 Replies)
Discussion started by: neruppu
3 Replies

10. Shell Programming and Scripting

eval a variable that has a .

Hi, Is there any way that I can eval the following - eval abc.csv=def.csv I am getting the - bash: command not found error. thanks. (3 Replies)
Discussion started by: ttshell
3 Replies

Featured Tech Videos