bash script fails when password contains backtick

Question

A colleague wrote a script that acts as a wrapper for executing other scripts remotely. It is set up to ask for a password which is then echo'ed to remote systems for use in sudo.

Relevant code*:

read -s pw
....
${SSH_tt} ${HOST} "echo ${pw} | ${SUDO_S} ./${SCRIPT_NAME} > ${HOME}/${HOST_OUTPUT}" 2> /dev/null

* Please ignore the all upper-case variables.

If I enter a password which contains a backtick I get the following error:

bash: -c: line 0: unexpected EOF while looking for matching ``'
bash: -c: line 1: syntax error: unexpected end of file

If I change my password to one that does not contain the backtick the script runs fine. I imagine it would happen with passwords which contain single- and double-quotes as well.

While changing my password is an option it is not desirable due to the size of our platform (we don't use centralized authentication). I'm wondering if there is a way to sanitize or otherwise escape the backtick so that it isn't interpreted by the shell either locally or remotely.

Answer 1

You can escape the password before you execute the last line.

In bash:

escaped_pw=`printf "%q" ${pw}`

Then use escaped_pw in place of pw.

${SSH_tt} ${HOST} "echo ${escaped_pw} | ${SUDO_S} ./${SCRIPT_NAME} > ${HOME}/${HOST_OUTPUT}" 2> /dev/null

Here's an example :

$ read -s pw
$ echo $pw
ronak`gandhi
$ escaped_pw=`printf "%q" ${pw}`
$ echo $escaped_pw
ronak\`gandhi
$ ssh myhost "echo ${escaped_pw} - `date`"
ronak`gandhi - Thu Jun 18 19:28:47 PDT 2015