[racket] Embedding multiline shell scipts

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Sun Feb 6 13:02:37 EST 2011

Tip: When constructing a shell command line or script programmatically, 
to be parsed by the shell, you have to be especially careful about 
quoting and escaping of any values that you plug in.  This is a likely 
place for strange inputs to the construction to break the language, 
resulting in failure and possibly data loss or intrustion, possibly 
undetected.  When I have audited code for security vulnerabilities, the 
construction of shell commands always catches my eye, since it seems 
that people almost always get it wrong.

The various Unix-like shells (Bourne, C-shell, and their derivatives) 
are hobbled by anachronistic craziness.  If one finds that one is trying 
to construct a string to be interpreted by a shell, then see whether one 
can instead do it as: (1) a Racket list of arguments to a host OS 
program exec, bypassing the shell; or (2) do more processing in Racket 
and less in shell.

-- 
http://www.neilvandyke.org/


Posted on the users mailing list.