Safe way to set computed environment variables
Posted
by sfink
on Stack Overflow
See other posts from Stack Overflow
or by sfink
Published on 2010-03-22T22:23:35Z
Indexed on
2010/03/22
23:51 UTC
Read the original article
Hit count: 335
I have a bash script that I am modifying to accept key=value pairs from stdin. (It is spawned by xinetd.) How can I safely convert those key=value pairs into environment variables for subprocesses?
I plan to only allow keys that begin with a predefined prefix "CMK_", to avoid IFS or any other "dangerous" variable getting set. But the simplistic approach
function import ()
{
local IFS="="
while read key val; do
case "$key" in CMK_*)
eval "$key=$val";;
esac
done
}
is horribly insecure because $val could contain all sorts of nasty stuff. This seems like it would work:
shopt -s extglob
function import ()
{
NORMAL_IFS="$IFS"
local IFS="="
while read key val; do
case "$key" in CMK_*([a-zA-Z_]) )
IFS="$NORMAL_IFS"
eval $key='$val'
IFS="="
;;
esac
done
}
but (1) it uses the funky extglob thing that I've never used before, and (2) it's complicated enough that I can't be comfortable that it's secure.
My goal, to be specific, is to allow key=value settings to pass through the bash script into the environment of called processes. It is up to the subprocesses to deal with potentially hostile values getting set.
I am modifying someone else's script, so I don't want to just convert it to Perl and be done with it. I would also rather not change it around to invoke the subprocesses differently, something like
#!/bin/sh
...start of script...
perl -nle '($k,$v)=split(/=/,$_,2); $ENV{$k}=$v if $k =~ /^CMK_/; END { exec("subprocess") }'
...end of script...
© Stack Overflow or respective owner