LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 01-03-2008, 10:23 AM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Rep: Reputation: 39
Question User input into Bash scripts and checking validity of user input??


Hello,
I write quite a few little bash scripts to do all sorts of funky stuff, the problem is they would be in an un-secure state ie. when reading or making use of user input into a script, i haven't checked for what the user has inputted into the script. Therefore obviously leaving open security whole that the script could end up doing other things i dont want it to do. Whats the best way in bash to be validating user input to reduce the chances of this happening. Read in a user input or when starting a script with an argument ./script argument

this argument isn't validated so it could be :-
yes my name is me;rm -Rf /*

So its basically reducing what could happen, therefore i gues one thing to do would be to check for occurrences of ';' in any user input, whatelse and how should i do this??

Regards and Thanks
 
Old 01-03-2008, 10:57 AM   #2
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,453

Rep: Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941
I doubt that a user's input can be executed as a command. If you use the read statement all the input line is stored in a variable and most likely your script does not simply eval that variable. If input is passed as arguments, you can do all the checks you need, but again you will not simply eval the arguments, won't you?
 
Old 01-06-2008, 05:54 AM   #3
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Original Poster
Rep: Reputation: 39
Hey,
What do you mean eval?
do you mean run or execute the argument or input the user has given??

Cheers
 
Old 01-06-2008, 05:59 AM   #4
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,453

Rep: Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941
Hi. I mean literally the eval built-in which let you evaluate a string as a command and execute it.
 
Old 01-06-2008, 06:07 AM   #5
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Original Poster
Rep: Reputation: 39
ooo, sorry i thought it was some term i've not heard of yet :-) yeah now that makes sense. But there must still be some method i could use to check some possible incorrect input that could cause a problem like the one i've sugested?
Cheers
 
Old 01-06-2008, 07:25 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
IMHO you should ensure user input remains inert, not executed. There's probably a Gogolplex of docs around about input sanitation I haven't tried to find but AFAIK input sanitation in the sense of "blacklisting" requires you to safeguard against every known iteration and every loophole which is inefficient and unsafe because you don't cover everything, you can be sure of *that*. Input sanitation in the "whitelisting" sense (only allowing a few options) is relatively safer because it is more restrictive (sudo-like). So you could 'declare -r goodChars="1234567890-_.abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"' then 'scrubbedString="${userInput//[^$goodChars]/}"'. Doing something like 'declare -r badChars=";:,.[]{}<>" leads to frustration. Frustration leads to anger, and we all know what anger leads to :-]
 
Old 01-06-2008, 08:18 AM   #7
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,453

Rep: Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941
Quote:
Originally Posted by unSpawn View Post
IMHO you should ensure user input remains inert, not executed.
I subscribe to this. It is what I meant in my first post (thanks Unspawn for summarizing).

You should know a priori what a user's input should be and check it accordingly. If you expect a random sequence of characters, never execute it. Actually I cannot figure out a script that accepts commands as input: if the user can execute the script, most likely he can execute any command (unless he runs in a restricted shell). On the other hand if the user is meant to drive how the script works, you may use options (see getopts).

Returning to your original question (how to check if a string contains a semi-colon) you can use the method suggested by Unspawn (I would add also a blank space in the list of good characters) and check if a string contains any unwanted character. Or simply do a literal
Code:
echo $userinput | grep -o \;
 
Old 01-06-2008, 08:55 AM   #8
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Original Poster
Rep: Reputation: 39
Thanks guy's this should be perfect

Cheers
Some great stuff i can work with there
 
Old 07-07-2008, 06:40 PM   #9
gmendoza
LQ Newbie
 
Registered: Nov 2007
Distribution: Ubuntu, Debian, Slackware
Posts: 6

Rep: Reputation: 1
Smile

Quote:
Originally Posted by helptonewbie View Post
Thanks guy's this should be perfect

Cheers
Some great stuff i can work with there
I was working on something similar, and used "tr" to strip all non-alphanumeric characters from the input. The following example also allows for spaces and tries to avoid shell expansion in handling of the variables.

Code:
#!/bin/bash
echo "Enter variable: "
read VAR_INPUT
# Sanitize input and assign to new variable
export VAR_CLEAN="`echo "${VAR_INPUT}" | tr -cd '[:alnum:] [:space:]'`"
echo "New Variable: ${VAR_CLEAN}"
You can also limit the number of characters to ten with "cut -c -10", etc, etc. The sky's the limit.

Hope this is useful for others. All improvements to the code welcome!

Gilbert Mendoza

Last edited by gmendoza; 07-09-2008 at 01:50 PM. Reason: minor syntax issue
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User input disabled with scripts launched for .ssh/rc? rockysfr Programming 3 07-03-2007 04:23 PM
Bash scripting and user input Woodsman Slackware 13 11-02-2005 02:20 PM
mask user input in a bash script PlatinumRik Linux - Software 1 06-15-2004 10:06 AM
my mouse input is takes as keyboard input in BASH e1000 Slackware 5 12-08-2003 03:00 PM
User input using a BASH script... causticmtl Programming 5 07-13-2003 09:59 PM


All times are GMT -5. The time now is 11:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration