shell variable security

Jacques B. jjrboucher at gmail.com
Wed Oct 3 16:38:57 UTC 2007


On 10/3/07, tony.chamberlain at lemko.com <tony.chamberlain at lemko.com> wrote:
>
>
>
>  I have to write some BASH scripts.
>
> We have all heard about security problems with shell variables
>
> (i.e. when entering a name someone enters something like "Tony; rm -rf
> /root/*" )
>
> so that if the BASH scripts echoes it will will do something like echo Tony;
> rm -rf /root/*.
>
>
>
> Now we have honest users here, but I still want to do some checks.  If I
> read in or get a shell variable from a user
>
> I could do something like
>
>
>
>     echo "$VAR" | grep '[^a-zA-Z/_-]'
>
>     if [ $? -eq 0 ]
>
>     then
>
>         echo "You have entered a bad character"
>
>         exit 1
>
>    fi
>
>
>
> but that still runs into the problem like above with the echo.  I also could
> do
>
>
>
> case "$VAR" in
>
>
>
>     \;|\:) echo "you have a bad character"
>
>         ;;
>
>
>
> esac
>
>
>
>
>
> but I am not sure that is best either.  Is there anyway to validate shell
> variables?
>
> I know Javascript, etc., has something like url_encode()
> --

If all you are looking is to grab everything up to the first ; or :
(anything after is deemed invalid) you could use string manipulation.
Test it out as follows:

read name; echo ${name%%+(;|:)*}

It will echo everyting to the first ; or : (omitting the invalid
character and everything after.

This will only work if you have extglob enabled as shopt.

If this does what you want, you can assign the value of your variable
using that string manipulation, hence cutting out the ; or : and
everything after.  No testing conditions.  If there are other
characters you wish to exclude simply add them in the patter by
separating each with the pipe |.

Type shopt to see your shell options.  See if extglob is on.  If not,
you can turn it on with
shopt -s extglob

You can later unset that option with shopt -u extglob.

Of course you'll likely want your script to save the setting for
extglob at the start, set it on for the script, then reset it back to
what it was after.

Jacques B.




More information about the users mailing list