How to read bash script-style config more safely?

Easy way:

# Read environment from config file

set -o allexport
source my_config_file.conf
set +o allexport

Format of the config file is like that:

VAR1=eee
VAR2="dsfsdf sd fsdf"
VAR3=$VAR1
# comment    

How to do it more safely (allowing some expansions, but without actually executing commands in config file). The "safety" should protect from occasional inserting of wrong snippets into config, not from specially crafted attacks.

Answers


VAR1=eee is a command, so which commands do you want to stop? Let's assume it is external programs.

One way would be to trash PATH:

oldPATH="$PATH"
PATH=
set -o allexport 
source /full-path-name/my_config_file.conf 
set +o allexport 
PATH="$oldPATH"

But wait! Commands are "hashed", so you need to clear the hash first as well, so add hash -r. You might also need to clear aliases as well, for example ls is often an alias.

This is easily curcumvented by supplying the full path name of the command, for example /usr/bin/man, but that's about the limit of what you can do.


Need Your Help

Tweeter share on wall API with call back function

php api twitter

I want to use the tweeter API for sharing on wall.

How to find the number of uppercase Characters in a string array?

java arrays for-loop character

I have a code that create an array of characters (a predefined array) and going through the array I need to find the uppercase characters and as result display the number of it.