shell variable security
tony.chamberlain at lemko.com
tony.chamberlain at lemko.com
Wed Oct 3 15:15:05 UTC 2007
I have to write some BASH scripts.
We have all heard about security problems with shell variables
(i.e. when entering a name someone enters something like "Tony; rm -rf /root/*" )
so that if the BASH scripts echoes it will will do something like echo Tony; rm -rf /root/*.
Now we have honest users here, but I still want to do some checks. If I read in or get a shell variable from a user
I could do something like
echo "$VAR" | grep '[^a-zA-Z/_-]'
if [ $? -eq 0 ]
then
echo "You have entered a bad character"
exit 1
fi
but that still runs into the problem like above with the echo. I also could do
case "$VAR" in
\;|\:) echo "you have a bad character"
;;
esac
but I am not sure that is best either. Is there anyway to validate shell variables?
I know Javascript, etc., has something like url_encode()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071003/3550591e/attachment-0001.htm>
More information about the fedora-list
mailing list