shell variable security

tony.chamberlain at lemko.com tony.chamberlain at lemko.com
Wed Oct 3 15:15:05 UTC 2007


I have to write some BASH scripts.
We have all heard about security problems with shell variables
(i.e. when entering a name someone enters something like "Tony; rm -rf /root/*" )
so that if the BASH scripts echoes it will will do something like echo Tony; rm -rf /root/*.

Now we have honest users here, but I still want to do some checks. If I read in or get a shell variable from a user
I could do something like

 echo "$VAR" | grep '[^a-zA-Z/_-]'
 if [ $? -eq 0 ]
 then
 echo "You have entered a bad character"
 exit 1
 fi

but that still runs into the problem like above with the echo. I also could do

case "$VAR" in

 \;|\:) echo "you have a bad character" 
 ;;

esac


but I am not sure that is best either. Is there anyway to validate shell variables?
I know Javascript, etc., has something like url_encode() 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20071003/3550591e/attachment-0001.htm>


More information about the fedora-list mailing list