this script is evaluating external input, a highly insecure practice.
What are some ways to deal with or even replace eval evaluating external inputs in a script?
Thanks.
Add a comment
|
1 Answer
Just make sure that the arguments passed to eval are not coming from external input or that if they are, you've sanitized them before hand.
As in, don't do:
n=0
....
n=$((n + 1))
eval "var$n=$1"
$n is under your control, the content of $1 is not. If $1 is foo;reboot for instance, eval will receive the var3=foo;reboot code to interpret and that will run reboot.
Use:
eval "var$n=\$1"
Then, instead, eval will receive var3=$1 which is fine.
eval "$1=\$2"
Would be wrong as well. You'd need to make sure the content of $1 is only from a set of accepted values (sanitizing):
unset -v var1 foo bar
case $1 in
(var1 | foo | bar) eval "$1=\$2";;
(*) echo >&2 unexpected variable name; exit 1;;
esac
Note that eval is not the only command that evaluate arbitrary code, there are plenty others like sh, perl, awk, sed, even read, export, typeset, printf, test or [ in some shells, you need to be equally careful with them when passing external input as their arguments.
answered Jul 19, 2016 at 11:56
Stéphane Chazelas
587k96 gold badges1.1k silver badges1.7k bronze badges