Bash nested quotes and eval

Question

I'm having difficulty nested quotes within a bash script

argv="su -c '$RVM_PATH wrapper $config_rvm \'$PASSENGER_RVM_BIN $command $options\'' web"
eval $argv

The above got me

eval: line 162: unexpected EOF while looking for matching `''
eval: line 163: syntax error: unexpected end of file

Answer 1

Generic solution for eval with correctly quoted arguments

The following function uses the shell's own quoting mechanism to that I don't have to worry about how to correctly quote things:

function token_quote {
  local quoted=()
  for token; do
    quoted+=( "$(printf '%q' "$token")" )
  done
  printf '%s\n' "${quoted[*]}"
}

Example usage:

$ token_quote token 'single token' token
token single\ token token

Above, note the single token's space is quoted as \.

$ set $(token_quote token 'single token' token)
$ eval printf '%s\\n' "$@"
token
single token
token
$

This shows that the tokens are indeed kept separate.

---

Given some untrusted user input:

% input="Trying to hack you; date"

Construct a command to eval:

% cmd=(echo "User gave:" "$input")

Eval it, with seemingly correct quoting:

% eval "$(echo "${cmd[@]}")"
User gave: Trying to hack you
Thu Sep 27 20:41:31 +07 2018

Note you were hacked. date was executed rather than being printed literally.

Instead with token_quote():

% eval "$(token_quote "${cmd[@]}")"
User gave: Trying to hack you; date
%

eval isn't evil - it's just misunderstood :)

Answer 2

Use an array instead.

#!/bin/bash
cmd=(echo "foo bar")
"${cmd[@]}"

Answer 3

argv="su -c \"$RVM_PATH wrapper $config_rvm \\\"$PASSENGER_RVM_BIN $command $options\\\"\" web"

Answer 4

That's because \' doesn't have any special meaning within a single-quoted string; it means simply "backslash, followed by end-of-string".

One option is to use $'...' instead of '...'; that will let you use backslash-escapes. It would look like this:

argv="su -c $'$RVM_PATH wrapper $config_rvm \'$PASSENGER_RVM_BIN $command $options\'' web"

The downside is that if there's any chance that $RVM_PATH, $config_rvm, or any of the other variables could include a backslash, then it too could be interpreted as introducing a backslash-escape.