From 6d91fb8564f55443577757819b2690a052aabb94 Mon Sep 17 00:00:00 2001 From: wodry Date: Mon, 9 Aug 2021 20:52:41 +0200 Subject: [PATCH] Revert 701bc00f495afe654b72dfb9d4f9c7b1512fa2b6...c4f0f33e10056799528364dd590b29724d537db5 on SC2156 --- SC2156.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SC2156.md b/SC2156.md index 360c67c..b3df454 100644 --- a/SC2156.md +++ b/SC2156.md @@ -9,14 +9,14 @@ find . -name '*.mp3' -exec sh -c 'i="{}"; sox "$i" "${i%.mp3}.wav"' \; ### Correct code: ```sh -find . -name '*.mp3' -exec sh -c 'i="$1"; sox "$i" "${i%.mp3}.wav"' _ {} \; +find . -name '*.mp3' -exec sh -c 'i="$1"; sox "$i" "${i%.mp3}.wav"' shell {} \; ``` ### Rationale: In the problematic example, the filename is passed by injecting it into a shell string. Any shell metacharacters in the filename will be interpreted as part of the script, and not as part of the filename. This can break the script and allow arbitrary code execution exploits. -In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. The `_` is a dummy string that becomes `$0` in the script. +In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. Note that when using shell command with `-c`, the first parameter to the shell command (in the example "shell") becomes `$0` in the shell command's environment, where it is used e.g. in shell error messages (you can set it to an arbitrary value, but it makes sense to set it to the shell's name). You should not use the first parameter to the shell command as data processing parameter, because you could not access `$0` e.g. via `$*` in the shell command (because `$*` starts with `$1`), and as said, `$0` is used in the shell command's error messages, what would be confusing. ### Exceptions: