From a4566ad83c4ab11f198922da09700aad8893805e Mon Sep 17 00:00:00 2001 From: wodry Date: Mon, 9 Aug 2021 04:58:59 +0200 Subject: [PATCH] Remove confusing "_" dummy parameter --- SC2156.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SC2156.md b/SC2156.md index 360c67c..4e13cdf 100644 --- a/SC2156.md +++ b/SC2156.md @@ -9,14 +9,14 @@ find . -name '*.mp3' -exec sh -c 'i="{}"; sox "$i" "${i%.mp3}.wav"' \; ### Correct code: ```sh -find . -name '*.mp3' -exec sh -c 'i="$1"; sox "$i" "${i%.mp3}.wav"' _ {} \; +find . -name '*.mp3' -exec sh -c 'i="$0"; sox "$i" "${i%.mp3}.wav"' {} \; ``` ### Rationale: In the problematic example, the filename is passed by injecting it into a shell string. Any shell metacharacters in the filename will be interpreted as part of the script, and not as part of the filename. This can break the script and allow arbitrary code execution exploits. -In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. The `_` is a dummy string that becomes `$0` in the script. +In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. Note that when using shell command with `-c`, the first parameter to the shell command becomes `$0`. ### Exceptions: