Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to securely quote an optional flag?

Tags:

bash

If $FOO is set, I want to run:

cd "$OUTPUTDIR" && fpm -s dir -t rpm \
  -a x86_64 \
  --epoch "${PKGEPOCH}" \
  -n "${PACKAGENAME}" \
  --version "${PKGVERSION}" \
  --iteration "${PKGRELEASE}" \
  -C "$OUTPUTDIR/installroot" \
  --description="${PKGDESCRIPTION}" \
  .

If $FOO is not set, I don't want to include the flag at all.

The program fails if --description= (empty).

However, sometimes descriptions include quotes and other special characters so I don't want to do:

if [[ -z "PKGDESCRIPTION" ]]; then
    D=--description="${PKGDESCRIPTION}"
fi
cd "$OUTPUTDIR" && fpm -s dir -t rpm \
  -a x86_64 \
  --epoch "${PKGEPOCH}" \
  -n "${PACKAGENAME}" \
  --version "${PKGVERSION}" \
  --iteration "${PKGRELEASE}" \
  -C "$OUTPUTDIR/installroot" \
  $D
  .

If I put quotes around $D then it becomes an additional (blank) arg.

Is there a way to do this that won't be a security problem if $PKGDESCRIPTION includes special chars AND doesn't generate a blank arg?

like image 289
TomOnTime Avatar asked Dec 19 '22 07:12

TomOnTime

2 Answers

Using an array is the only sane way to do this:

options=( -a x86_64  -C "$OUTPUTDIR/installroot" )
[[ $PKGEPOCH ]]       && options+=( --epoch "$PGKEPOCH" )
[[ $PACKAGENAME ]]    && options+=( -n "$PACKAGENAME" )
[[ $PKGVERSION ]]     && options+=( --version "$PKGVERSION" )
[[ $PKGRELEASE ]]     && options+=( --iteration "$PKGRELEASE" )
[[ $PKGDESCRIPTION ]] && options+=( --description="$PKGDESCRIPTION" )

cd "$OUTPUTDIR" && fpm -s dir -t rpm "${options[@]}"

See also http://mywiki.wooledge.org/BashFAQ/050

like image 156
glenn jackman Avatar answered Jan 01 '23 23:01

glenn jackman

If PKGDESCRIPTION is the only argument that needs this conditional treatment, you can use an "alternate value" expansion:

[...] && fpm -s dir -t rpm \
    [...] \
    ${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
    .

Explanation: the :+ means this will expand to nothing at all unless PKGDESCRIPTION is set to a non-null value; if it is set to something non-null, it expands to --description="${PKGDESCRIPTION}", and the double-quotes make it ignore special characters in PKGDESCRIPTION's value. Note that the space in :+ -- isn't needed, but does no harm and makes it at least slightly easier to read.

BTW, if more than one argument needs this treatment, I'd go with @glenn jackman's approach.

like image 39
Gordon Davisson Avatar answered Jan 01 '23 23:01

Gordon Davisson
Sign in to Comment

Related questions

Overwrite executing bash script files
error while running "source .vimrc"
How to know what script header to use and why it matters?
bash sed a quoted string from file but only at the Nth line
Sorting in unix while other field doesn't change
Passing SED replace arguments within a BASH variable
"ASCII" codes for arrow up, down, left and right
How to remove nth element from command arguments in bash
rc.local file not working raspberry pi
Why does ((0)) cause a Bash script to exit if `set -e` directive is present?
Bash: how to filter tee output in realtime for ssh command?
Safe shell redirection when command not found
curl: pass a named parameter from stdin
Split string using 2 different delimiters in Bash
Printing a sequence from a fasta file
How to pass shell variables as Command Line Argument to a shell script
How to catch mysql Error in bash
Why is bash faster than C? [closed]
Perl inside Bash: How to read from pipe and pass arguments to perl at the same time?
Convert delimited file to fixed width in Linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!