Reputation: 1518
Is there a way to prevent sh/bash from performing command substitution?
From a C program I want to call a shell script with a filename as a parameter. Users can control the filename. The C is something like (initialization/error checking omitted):
sprintf(buf, "/bin/sh script.sh \"%s\"", filename);
system(buf);
The target device is actually an embedded system so I don't need to worry about malicious users. Obviously this would be an attack vector in a web environment. Still, if there is a filename on the system which, for example, contains backquotes in its name, the command will fail because the shell will perform expansion on the name. Is there any to prevent command substitution?
Upvotes: 4
Views: 686
Answers (4)
Reputation: 215261
As sharth said, you should not use system but fork and execv yourself. But to answer the question of how you make strings safe to pass to the shell (in case you insist on using system), you need to escape the string. The simplest way to do this is to first replace every occurrence of ' (single quote) with '\'' (single quote, backslash, single quote, single quote) then add ' (single quote) at the beginning and end of the string. The other fairly easy (but usually less efficient) method is to place a backslash before every single character, but then you still need to do some special quotation mark tricks to handle embedded newlines, so I prefer the first method.
Upvotes: 0
Reputation: 12382
Since you tagged this as C I will provide you with a C answer. You will need to escape the filename -- create a new string that will be treated properly by the shell, so that things like This is a file name produces This\ is\ a\ file\ name or bad;rm *;filename becomes bad\;rm\ \*\;filename. Then you can pass that to the shell.
Another way around this would be to run the shell directly with fork and one of the exec functions. Passing arguments directly to programs does not result in shell command line expansion or interpretation.
Upvotes: 0
Reputation: 81926
Well, you could always reimplement system() using a call to fork() and then execv().
http://www.opengroup.org/onlinepubs/000095399/functions/system.html
Upvotes: 3
Related Questions
- Force sh shell to use external function instead of built-in
- Is there a way to prevent injection attacks when building a command-line from untrusted input in bash?
- Disable bash script input arguments substitution
- How do I prevent bash to use a builtin command?
- sh - prevent interpretation of escape sequences in command substitution
- Hijacking system("/bin/sh") to run arbitrary commands
- executing shell script without calling sh implicitly
- Is it possible to disable Command Substitution in Bash?
- turn off bash variable substitution
- Prevent shell command substitution