Protecting arguments containing spaces from eval
Original question
For your preferred use-case, you'd simply write (inside my_command
):
"$@"
to execute the command as given.
Your eval
line is odd:
eval 'sed 's/foo/foo'" "'bar/g' filename'
Because of the way single quotes don't nest, it is equivalent to:
eval 'sed s/foo/foo" "bar/g filename'
Revised question
Possible solution:
egrep '/.*/' filename | sh
This feeds what is in filename
directly to the shell for interpretation. Given file
containing:
Some text containing foo; and bar.More foo bar?More text; more foo and bar; more foo bar beyond the possibility of unfooing.
The output is:
Some text containing foo bar; and bar.More foo bar bar?More text; more foo bar and bar; more foo bar bar beyond the possibility of unfoo baring.
Fixing quotes is hard!
Note that your complex sed
script is not complex enough. Given filename
containing:
sed 's/foo/foo bar/g' filesed 's/foo bar/foo bar baz/g' file
the output from:
egrep '/.*/' filename |sed 's/\(.*\)['"'"']\(.*\) \(.*\)['"'"']\(.*\)/\1'"\'"'\2" "\3'"\'"'\4/g'
is:
sed 's/foo/foo" "bar/g' filesed 's/foo bar/foo bar" "baz/g' file
which has not solved all the problems for the eval
.
I've spent a lot of time, on and off, working on such issues over quite a long period of time (a quarter century is no exaggeration), and it isn't trivial. You can find one discussion in extenso in How to iterate over arguments in bash script. Somewhere, I have another answer which goes through gyrations about this stuff, but I can't immediately find it (where 'immediately' means an hour or so of distracted searching, where the distractions were sets of duplicate questions, etc). It may have been deleted, or I may have looked in the wrong place.
your design is flawed. Create a user interface that doesn't let them input commands directly. give options, or let them enter the parameters only.At the back end, you do your sanitization check on the parameters before calling sed
or other tools desired. You don't have to use eval
Array quoting
The following keeps spaces in arguments by quoting each element of array:
function token_quote { local quoted=() for token; do quoted+=( "$(printf '%q' "$token")" ) done printf '%s\n' "${quoted[*]}"}
Example usage:
$ token_quote token 'single token' tokentoken single\ token token
Above, note the single token
's space is quoted as \
.
$ set $(token_quote token 'single token' token)$ eval printf '%s\\n' "$@"tokensingle tokentoken$
This shows that the tokens are indeed kept separate.
Given some untrusted user input:
% input="Trying to hack you; date"
Construct a command to eval:
% cmd=(echo "User gave:" "$input")
Eval it, with seemingly correct quoting:
% eval "$(echo "${cmd[@]}")"User gave: Trying to hack youThu Sep 27 20:41:31 +07 2018
Note you were hacked. date
was executed rather than being printed literally.
Instead with token_quote()
:
% eval "$(token_quote "${cmd[@]}")"User gave: Trying to hack you; date%
eval
isn't evil - it's just misunderstood :)