Sanitize user input in bash for security purposes

后端 未结 1 1156
隐瞒了意图╮
隐瞒了意图╮ 2020-12-13 04:42

How do I sanitise user input in a bash script so that I can then pass it as an argument to another shell program? I want to prevent the following:

INPUT=\"fi         


        
相关标签:
1条回答
  • 2020-12-13 04:57

    The Short

    Bash already deals with that. Quoting it is sufficient.

    ls "$INPUT"
    

    The Long

    A rough guide to how the shell parses this line is:

    "ls \"$INPUT\""                     # Raw command line.
    ["ls", "\"$INPUT\""]                # Break into words.
    ["ls", "\"filename; rm -rf /\""]    # Perform variable expansion.
    ["ls", "\"filename; rm -rf /\""]    # Perform word splitting (no change).
    ["ls", "filename; rm -rf /"]        # Remove quotes.
    

    Because of the quotes the $INPUT variable does not undergo word splitting. The ls will look for a file named filename; rm -rf /.

    If you didn't quote it then the expansion would proceed differently:

    "ls $INPUT"                             # Raw command line.
    ["ls", "$INPUT"]                        # Break into words.
    ["ls", "filename; rm -rf /"]            # Perform variable expansion.
    ["ls", "filename;", "rm", "-rf", "/"]   # Perform word splitting.
    

    You can at least have consolation that this won't actually execute rm -rf /. Rather, it'll pass each of those strings as a file name to ls. You'll ls some files you didn't intend but at least it won't accidentally execute unwanted commands.

    jkugelman$ VAR='.; echo hi'
    jkugelman$ ls $VAR
    ls: .;: No such file or directory
    ls: echo: No such file or directory
    ls: hi: No such file or directory
    

    Excerpts from "man bash":

    QUOTING

    Quoting is used to remove the special meaning of certain characters or words to the shell. Quoting can be used to disable special treatment for special characters, to prevent reserved words from being recognized as such, and to prevent parameter expansion.

    EXPANSION

    Expansion is performed on the command line after it has been split into words. There are seven kinds of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command substitution, arithmetic expansion, word splitting, and pathname expansion.

    Only brace expansion, word splitting, and pathname expansion can change the number of words of the expansion; other expansions expand a single word to a single word. The only exceptions to this are the expansions of "$@" and "${name[@]}" as explained above (see PARAMETERS).

    Word Splitting

    The shell scans the results of parameter expansion, command substitution, and arithmetic expansion that did not occur within double quotes for word splitting.

    Quote Removal

    After the preceding expansions, all unquoted occurrences of the characters \, ', and " that did not result from one of the above expansions are removed.

    0 讨论(0)
提交回复
热议问题