过滤用户输入在bash为安全起见， [英] Sanitize user input in bash for security purposes

问题描述

我如何过滤用户输入一个bash脚本，这样我可以将其作为参数传递给另一个shell程序？即我想prevent以下

How do I sanitise user input in a bash script so that I can then pass it as an argument to another shell program? ie I want to prevent the following

INPUT="filename;rm -rf /"
ls $INPUT

我想它应该是足够的包围双重引号用户输入像这样

I was thinking it should be enough to surround the user input in doublet quotes like so

ls "$INPUT"

但如果没有在$输入双引号？

but what if there is a double quote in $INPUT?

抑或庆典已经处理这个问题？

Or does bash already deal with this problem?

推荐答案

猛砸已经与该交易。引用它是足够的。

The Short

Bash already deals with that. Quoting it is sufficient.

ls "$INPUT"

的龙

一个粗略的指南shell如何解析这一行是：

The Long

A rough guide to how the shell parses this line is:

"ls \"$INPUT\""                     # Raw command line.
["ls", "\"$INPUT\""]                # Break into words.
["ls", "\"filename; rm -rf /\""]    # Perform variable expansion.
["ls", "\"filename; rm -rf /\""]    # Perform word splitting (no change).
["ls", "filename; rm -rf /"]        # Remove quotes.

由于引号的 $ INPUT 变量不发生词的拆分。在 LS 将寻找一个名为文件名的文件; RM -rf / 。

Because of the quotes the $INPUT variable does not undergo word splitting. The ls will look for a file named filename; rm -rf /.

如果你没有引用它，然后扩张将着手不同：

If you didn't quote it then the expansion would proceed differently:

"ls $INPUT"                             # Raw command line.
["ls", "$INPUT"]                        # Break into words.
["ls", "filename; rm -rf /"]            # Perform variable expansion.
["ls", "filename;", "rm", "-rf", "/"]   # Perform word splitting.

您至少可以安慰，这将不会真正执行 RM -rf / 。相反，它会每这些字符串作为文件名的传递给 LS 。你会 LS 你不打算一些文件，但至少它会不小心执行恶意指令。

You can at least have consolation that this won't actually execute rm -rf /. Rather, it'll pass each of those strings as a file name to ls. You'll ls some files you didn't intend but at least it won't accidentally execute unwanted commands.

jkugelman$ VAR='.; echo hi'
jkugelman$ ls $VAR
ls: .;: No such file or directory
ls: echo: No such file or directory
ls: hi: No such file or directory

从人庆典摘录：

报价是用来删除某些字符或单词的特殊意义外壳。引用可以用来禁止特殊处理的特殊字符，以prevent保留字被识别，还和prevent参数扩展。

QUOTING

Quoting is used to remove the special meaning of certain characters or words to the shell. Quoting can be used to disable special treatment for special characters, to prevent reserved words from being recognized as such, and to prevent parameter expansion.

扩张是在命令行上已经分裂成单词后执行。有七种
         括号扩展，波浪线扩展，参数和变量扩展，命令：扩大执行的
         替换，算术扩展，分词，和路径扩展。

Expansion is performed on the command line after it has been split into words. There are seven kinds of expansion performed: brace expansion, tilde expansion, parameter and variable expansion, command substitution, arithmetic expansion, word splitting, and pathname expansion.

只有括号扩展，分词，和路径扩展，可以改变的单词数
         扩张;其他扩展一个字扩展到一个字。唯一的例外是
         的扩展$ @和$ {名称[@]}按照上面的说明（见参数）

Only brace expansion, word splitting, and pathname expansion can change the number of words of the expansion; other expansions expand a single word to a single word. The only exceptions to this are the expansions of "$@" and "${name[@]}" as explained above (see PARAMETERS).

外壳扫描参数扩展，命令替换和算术扩展的结果
         这并没有为分词双引号内发生。

The shell scans the results of parameter expansion, command substitution, and arithmetic expansion that did not occur within double quotes for word splitting.

在preceding扩建后，人物的所有不带引号的出现 \\ ， 和未
         从上面的扩展被删除的一个结果。

After the preceding expansions, all unquoted occurrences of the characters \, ', and " that did not result from one of the above expansions are removed.

这篇关于过滤用户输入在bash为安全起见，的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！