Skip to main content
Unix & Linux

Return to Answer

replaced http://unix.stackexchange.com/ with https://unix.stackexchange.com/
Source Link
Community Bot
Community Bot
  • 1

Using eval here makes no sense whatsoever. Before you decide how to fix your script, think carefully about your requirements and write them down. Reading your question, it's clear that you don't have a clear understanding of what you want to do, and you aren't going to solve this problem until you figure out what you expect from a solution.

assumed that every unsafe string has at least a space in it

No, not even close. Your script allows the user to execute arbitrary code, since it allows the user to type any string not containing spaces and newlines. The user could use tabs and semicolons instead. Even without any whitespace, the user could type command substitutions:

`touch /tmp/this_is_executed`somefile
$(touch /tmp/this_is_executed)somefile

Is this a problem? It depends on what you're trying to do. Is the input coming from the user who runs your script from a normal account? If so, there is no security problem, but it doesn't make sense for the script to read input from standard input: it should take a command line argument instead, and then the command line shell would do the variable expansions that you want. If your script runs with elevated privileges or takes input over the network, then eval is most definitely evil, and you should not use it until you understand the implications. eval takes a string as argument (if it has multiple arguments, they're joined together with spaces in between) and executes it as shell code. If you didn't want to execute shell code, eval is the wrong tool.

If the script is taking unprivileged input, then it's the wrong place to perform variable expansion. Do that in the interface that feeds input to your script, running with the privileges of the user (e.g. use Javascript if the input is coming from a web browser). In your script, you'll need to check that the specified file names are in a directory that the user is supposed to have access to. Be careful about .. and symbolic links that might allow escaping a directory tree, and about leading - that can be parsed as options instead of file namesand about leading - that can be parsed as options instead of file names.

Using eval here makes no sense whatsoever. Before you decide how to fix your script, think carefully about your requirements and write them down. Reading your question, it's clear that you don't have a clear understanding of what you want to do, and you aren't going to solve this problem until you figure out what you expect from a solution.

assumed that every unsafe string has at least a space in it

No, not even close. Your script allows the user to execute arbitrary code, since it allows the user to type any string not containing spaces and newlines. The user could use tabs and semicolons instead. Even without any whitespace, the user could type command substitutions:

`touch /tmp/this_is_executed`somefile
$(touch /tmp/this_is_executed)somefile

Is this a problem? It depends on what you're trying to do. Is the input coming from the user who runs your script from a normal account? If so, there is no security problem, but it doesn't make sense for the script to read input from standard input: it should take a command line argument instead, and then the command line shell would do the variable expansions that you want. If your script runs with elevated privileges or takes input over the network, then eval is most definitely evil, and you should not use it until you understand the implications. eval takes a string as argument (if it has multiple arguments, they're joined together with spaces in between) and executes it as shell code. If you didn't want to execute shell code, eval is the wrong tool.

If the script is taking unprivileged input, then it's the wrong place to perform variable expansion. Do that in the interface that feeds input to your script, running with the privileges of the user (e.g. use Javascript if the input is coming from a web browser). In your script, you'll need to check that the specified file names are in a directory that the user is supposed to have access to. Be careful about .. and symbolic links that might allow escaping a directory tree, and about leading - that can be parsed as options instead of file names.

Using eval here makes no sense whatsoever. Before you decide how to fix your script, think carefully about your requirements and write them down. Reading your question, it's clear that you don't have a clear understanding of what you want to do, and you aren't going to solve this problem until you figure out what you expect from a solution.

assumed that every unsafe string has at least a space in it

No, not even close. Your script allows the user to execute arbitrary code, since it allows the user to type any string not containing spaces and newlines. The user could use tabs and semicolons instead. Even without any whitespace, the user could type command substitutions:

`touch /tmp/this_is_executed`somefile
$(touch /tmp/this_is_executed)somefile

Is this a problem? It depends on what you're trying to do. Is the input coming from the user who runs your script from a normal account? If so, there is no security problem, but it doesn't make sense for the script to read input from standard input: it should take a command line argument instead, and then the command line shell would do the variable expansions that you want. If your script runs with elevated privileges or takes input over the network, then eval is most definitely evil, and you should not use it until you understand the implications. eval takes a string as argument (if it has multiple arguments, they're joined together with spaces in between) and executes it as shell code. If you didn't want to execute shell code, eval is the wrong tool.

If the script is taking unprivileged input, then it's the wrong place to perform variable expansion. Do that in the interface that feeds input to your script, running with the privileges of the user (e.g. use Javascript if the input is coming from a web browser). In your script, you'll need to check that the specified file names are in a directory that the user is supposed to have access to. Be careful about .. and symbolic links that might allow escaping a directory tree, and about leading - that can be parsed as options instead of file names.

Source Link
Gilles 'SO- stop being evil'
Gilles 'SO- stop being evil'
  • 865.5k
  • 205
  • 1.8k
  • 2.3k

Using eval here makes no sense whatsoever. Before you decide how to fix your script, think carefully about your requirements and write them down. Reading your question, it's clear that you don't have a clear understanding of what you want to do, and you aren't going to solve this problem until you figure out what you expect from a solution.

assumed that every unsafe string has at least a space in it

No, not even close. Your script allows the user to execute arbitrary code, since it allows the user to type any string not containing spaces and newlines. The user could use tabs and semicolons instead. Even without any whitespace, the user could type command substitutions:

`touch /tmp/this_is_executed`somefile
$(touch /tmp/this_is_executed)somefile

Is this a problem? It depends on what you're trying to do. Is the input coming from the user who runs your script from a normal account? If so, there is no security problem, but it doesn't make sense for the script to read input from standard input: it should take a command line argument instead, and then the command line shell would do the variable expansions that you want. If your script runs with elevated privileges or takes input over the network, then eval is most definitely evil, and you should not use it until you understand the implications. eval takes a string as argument (if it has multiple arguments, they're joined together with spaces in between) and executes it as shell code. If you didn't want to execute shell code, eval is the wrong tool.

If the script is taking unprivileged input, then it's the wrong place to perform variable expansion. Do that in the interface that feeds input to your script, running with the privileges of the user (e.g. use Javascript if the input is coming from a web browser). In your script, you'll need to check that the specified file names are in a directory that the user is supposed to have access to. Be careful about .. and symbolic links that might allow escaping a directory tree, and about leading - that can be parsed as options instead of file names.