I have in one shell variable, op, a string which represents a "test operator" in a [[ ... ]] construct, for instance -d or -n or -s, an in another shell variable, arg, some arbitrary string. What I want to achieve, is basically this:
Code:
#This is INCORRECT code. I just want to get you the idea, what I'm looking for.
if [[ ! $op $arg ]]
then
do_something
fi
Of course, this does not work, because the operator - being a syntax construct - can not be substituted.
The closest solution I found is this:
Code:
if eval "[[ ! $op '$arg' ]]"
then
do_something
fi
I'm not happy with this for two reasons:
1. It breaks if $arg contains sequences of backslashes or single quotes
2. While I have good control of what is stored into $op, I don't have so good control of what is stored on $arg, so it is a security hole.
I could scan arg before and reject it completely, if arg gontains either backslash or single quote - I reckon that any exploit of the security hole would require either this or the other -, but I wonder whether there is a simpler way to code this.
A proposed solution can be zsh-specific, but should be upward compatible from zsh 5.0. Any ideas?
So this takes a single $op, such as "-z", and a single $arg, which is supposed to be a literal value? Feed them into the test external to test them outside the shell:
Code:
if test "$op" "$arg"
then
...
fi
test won't support the full extended zsh syntax, just the basic bourne. It won't evaluate any shell code or variables whatsoever and will never make your program quit from syntax error. If someone tries inserting multiple things into $op to be tricky, it just won't work.
These 2 Users Gave Thanks to Corona688 For This Post:
So this takes a single $op, such as "-z", and a single $arg, which is supposed to be a literal value? Feed them into the test external to test them outside the shell:
Code:
if test "$op" "$arg"
then
...
fi
test won't support the full extended zsh syntax, just the basic bourne. It won't evaluate any shell code or variables whatsoever and will never make your program quit from syntax error. If someone tries inserting multiple things into $op to be tricky, it just won't work.
op is safe, because I run into this code only if op matches the glob pattern -[a-zA-Z].
I like your idea, because of its simplicity. Its main drawback is that, at least according to my manpage of test, it does not work with the -N file test operator (true if file exists and its access time is not newer than its modification time), so I have to think about how important this is for me. It also doen't work with -o, which is not really a problem though, because this is not a file test.
Currently, I'm guarding the argument with
Code:
if [[ "${arg//['\\]/}" == $arg ]]
then
# we are safe here
else
# danger!
fi
which also has the nasty side effect, that the quoting upsets the syntax highlighter of my text editor (IntelliJ IDEA) in the same way as it upsets syntax highlighting in this forum....
I like your idea, because of its simplicity. Its main drawback is that, at least according to my manpage of test, it does not work with the -N file test operator (true if file exists and its access time is not newer than its modification time)
I just tried that out of curiosity and now realize I was slightly wrong.
In most shells, test is a builtin which supports all operators the shell does.
Code:
$ test -N /etc/passwd
$ echo $?
0
$ whereis test
test: /usr/bin/test /usr/share/man/man1/test.1.bz2 /usr/share/man/man1p/test.1p.bz2
$ /usr/bin/test -N /etc/passwd
/usr/bin/test: extra argument '-N'
$
...so if your shell has it as a builtin you are set.
I definitely reccommend against injection rejection which leaves you wide open to things you don't know about and can react badly to valid things you still didn't expect. (What if a filename contains a literal backtick?) Better to not leave the door open in the first place and use something which doesn't allow for shell interpretation.
Last edited by Corona688; 01-24-2017 at 01:19 PM..
Inside a zsh function, I create a local array with local -a arrayname and a local associative array with local -A arrayname.
I also can create an array using set, like this:
set -A arrayname value1 value2 value3In this form, I can not explicitly declare that an array is associative or... (2 Replies)
Hi all,
some small script with eval turned me to crazy.
my OS is linux
Linux s10-1310 2.6.16.53-0.8.PTF.434477.3.TDC.0-smp #1 SMP Fri Aug 31 06:07:27 PDT 2007 x86_64 x86_64 x86_64 GNU/Linux
below script works well
#!/bin/bash
eval ssh remotehost date
eval ssh remotehost ls
below... (1 Reply)
Hi all
i am forced to use tcsh at work but i want to use zsh, so i have added this to my .cshrc
if (! $?STARTTCSH) then
if ("$tty" != "" && -x /bin/zsh) exec /bin/zsh
exit
endif
but this now stopped me going back to tcsh if i need to, is there a way to do this, i would... (7 Replies)
hi,
In bash,
$ bind -P | grep yank-last
yank-last-arg can be found on "\M-.", "\M-_".
this allows me to press ALT key and the period (.) to yank the last argument of
the previous command line into the current command line.
How can I get the same behavior in zsh ?
Thanks ... (0 Replies)
01-24-2017
