How to read bash script-style config more safely?

Easy way:

# Read environment from config file

set -o allexport
source my_config_file.conf
set +o allexport

Format of the config file is like that:

VAR1=eee
VAR2="dsfsdf sd fsdf"
VAR3=$VAR1
# comment    

How to do it more safely (allowing some expansions, but without actually executing commands in config file). The "safety" should protect from occasional inserting of wrong snippets into config, not from specially crafted attacks.

Answers


VAR1=eee is a command, so which commands do you want to stop? Let's assume it is external programs.

One way would be to trash PATH:

oldPATH="$PATH"
PATH=
set -o allexport 
source /full-path-name/my_config_file.conf 
set +o allexport 
PATH="$oldPATH"

But wait! Commands are "hashed", so you need to clear the hash first as well, so add hash -r. You might also need to clear aliases as well, for example ls is often an alias.

This is easily curcumvented by supplying the full path name of the command, for example /usr/bin/man, but that's about the limit of what you can do.


Need Your Help

NSArry of floats issue

iphone memory floating-point nsarray nsnumber

Im trying to create an NSArray of floats. However, once the value is added to the arrays it is alway 0.0000000.

Xcode bot fails with “no activity for too long” error

xcode xcode-bots xcode-server

My Xcode bot integrations fail with the following error.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.