Logo Questions Linux Laravel Mysql Ubuntu Git Menu

Protecting arguments containing spaces from eval

In order to get eval to work on commands that contain spaces inside one of the parameters, I have only found this to work so far:

eval 'sed 's/foo/foo'" "'bar/g' filename'

In a hypothetical program where users would enter a command and then the command and arguments to be fed to eval, this isn't a very elegant or robust solution. Are there any other ways to run the eval command so that the interface for my_command can be a little more user friendly? The following is an example of how the program accepts arguments now.

my_command 'sed 's/foo/foo'" "'bar/g' filename'

I would like the interface to work something like this:

my_command sed 's/foo/foo bar/g' filename


I'll try asking a different question:

How do I get bash to read input from the command line literally? I want the exact input to be preserved, so if there are quotes I want to keep them. I can accomplish what I want to do by using egrep to read from file and then sanitizing the input, like so:

egrep '/.*/' filename |
sed 's/\(.*\)['"'"']\(.*\) \(.*\)['"'"']\(.*\)/\1'"\'"'\2" "\3'"\'"'\4/g'

with "filename" containing this line

sed 's/foo/foo bar/g' file

this gives me the desired output of:

sed 's/foo/foo" "bar/g' file

Problem here is that I can't echo "$@" because bash interprets the quotes. I want the literal input without having to read from file.

like image 367
Jon Poler Avatar asked Mar 21 '23 04:03

Jon Poler

2 Answers

Original question

For your preferred use-case, you'd simply write (inside my_command):


to execute the command as given.

Your eval line is odd:

eval 'sed 's/foo/foo'" "'bar/g' filename'

Because of the way single quotes don't nest, it is equivalent to:

 eval 'sed s/foo/foo" "bar/g filename'

Revised question

Possible solution:

egrep '/.*/' filename | sh

This feeds what is in filename directly to the shell for interpretation. Given file containing:

Some text containing foo; and bar.
More foo bar?
More text; more foo and bar; more foo bar beyond the possibility of unfooing.

The output is:

Some text containing foo bar; and bar.
More foo bar bar?
More text; more foo bar and bar; more foo bar bar beyond the possibility of unfoo baring.

Fixing quotes is hard!

Note that your complex sed script is not complex enough. Given filename containing:

sed 's/foo/foo bar/g' file
sed 's/foo bar/foo bar baz/g' file

the output from:

egrep '/.*/' filename |
sed 's/\(.*\)['"'"']\(.*\) \(.*\)['"'"']\(.*\)/\1'"\'"'\2" "\3'"\'"'\4/g'


sed 's/foo/foo" "bar/g' file
sed 's/foo bar/foo bar" "baz/g' file

which has not solved all the problems for the eval.

I've spent a lot of time, on and off, working on such issues over quite a long period of time (a quarter century is no exaggeration), and it isn't trivial. You can find one discussion in extenso in How to iterate over arguments in bash script. Somewhere, I have another answer which goes through gyrations about this stuff, but I can't immediately find it (where 'immediately' means an hour or so of distracted searching, where the distractions were sets of duplicate questions, etc). It may have been deleted, or I may have looked in the wrong place.

like image 144
Jonathan Leffler Avatar answered Mar 31 '23 17:03

Jonathan Leffler

your design is flawed. Create a user interface that doesn't let them input commands directly. give options, or let them enter the parameters only. At the back end, you do your sanitization check on the parameters before calling sed or other tools desired. You don't have to use eval

like image 40
brianadams Avatar answered Mar 31 '23 17:03