出于安全目的，在 bash 中清理用户输入 [英] Sanitize user input in bash for security purposes

问题描述

如何清理 bash 脚本中的用户输入，以便我可以将其作为参数传递给另一个 shell 程序?我想防止以下情况:

How do I sanitise user input in a bash script so that I can then pass it as an argument to another shell program? I want to prevent the following:

INPUT="filename;rm -rf /"
ls $INPUT

我认为将用户输入用双引号括起来就足够了:

I was thinking it should be enough to surround the user input in double quotes like so:

ls "$INPUT"

但是如果 $INPUT 中有双引号怎么办?

but what if there is a double quote in $INPUT?

或者 bash 是否已经处理过这个问题?

Or does bash already deal with this problem?

推荐答案

The Short

Bash 已经解决了这个问题.引用它就足够了.

The Short

Bash already deals with that. Quoting it is sufficient.

ls "$INPUT"

漫长的

shell 如何解析这一行的粗略指南是:

The Long

A rough guide to how the shell parses this line is:

"ls "$INPUT""                     # Raw command line.
["ls", ""$INPUT""]                # Break into words.
["ls", ""filename; rm -rf /""]    # Perform variable expansion.
["ls", ""filename; rm -rf /""]    # Perform word splitting (no change).
["ls", "filename; rm -rf /"]        # Remove quotes.

由于引号，$INPUT 变量不会进行分词.ls 将查找名为 filename 的文件；rm -rf/.

Because of the quotes the $INPUT variable does not undergo word splitting. The ls will look for a file named filename; rm -rf /.

如果你没有引用它，那么扩展会以不同的方式进行:

If you didn't quote it then the expansion would proceed differently:

"ls $INPUT"                             # Raw command line.
["ls", "$INPUT"]                        # Break into words.
["ls", "filename; rm -rf /"]            # Perform variable expansion.
["ls", "filename;", "rm", "-rf", "/"]   # Perform word splitting.

您至少可以感到安慰的是，这实际上不会执行 rm -rf/.相反，它会将每个字符串作为文件名传递给 ls.你会ls一些你不想要的文件，但至少它不会意外地执行不需要的命令.

You can at least have consolation that this won't actually execute rm -rf /. Rather, it'll pass each of those strings as a file name to ls. You'll ls some files you didn't intend but at least it won't accidentally execute unwanted commands.

jkugelman$ VAR='.; echo hi'
jkugelman$ ls $VAR
ls: .;: No such file or directory
ls: echo: No such file or directory
ls: hi: No such file or directory

摘自man bash":

Excerpts from "man bash":

引用用于去除某些字符或单词对 shell 的特殊含义.引用可用于禁用对特殊字符的特殊处理，防止保留字被识别为此类，并防止参数扩展.

QUOTING

Quoting is used to remove the special meaning of certain characters or words to the shell. Quoting can be used to disable special treatment for special characters, to prevent reserved words from being recognized as such, and to prevent parameter expansion.

在分割成单词后在命令行上进行扩展.有七种执行的扩展:大括号扩展、波浪号扩展、参数和变量扩展、命令替换、算术扩展、分词和路径名扩展.

Expansion is performed on the command line after it has been split into words. There are seven kinds of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command substitution, arithmetic expansion, word splitting, and pathname expansion.

只有大括号扩展、分词和路径名扩展可以改变单词的个数扩张;其他扩展将单个单词扩展为单个单词.唯一的例外是"$@" 和 "${name[@]}" 的扩展如上所述(见参数).

Only brace expansion, word splitting, and pathname expansion can change the number of words of the expansion; other expansions expand a single word to a single word. The only exceptions to this are the expansions of "$@" and "${name[@]}" as explained above (see PARAMETERS).

shell 扫描参数扩展、命令替换和算术扩展的结果没有出现在用于分词的双引号内.

The shell scans the results of parameter expansion, command substitution, and arithmetic expansion that did not occur within double quotes for word splitting.

在前面的扩展之后，所有未加引号的字符 、' 和 "删除上述扩展之一的结果.

After the preceding expansions, all unquoted occurrences of the characters , ', and " that did not result from one of the above expansions are removed.

这篇关于出于安全目的，在 bash 中清理用户输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！