From 47cf35e2342f32149ba608851c4a514758447944 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Thu, 11 Jan 2018 19:18:05 +1300 Subject: Make first ax(1df) arg safer, warn on second arg The format in the first argument does not need to be evaluated, so it can be passed in a simple awk variable. The second argument is evaluated, by design, so code injection is trivial. It's probably a good idea to warn users about this explicitly. $ ax '0);system("cat /etc/passwd")' Make the whole thing a little terser, too, with the awk program construction, variable assignment, and invocation all on one line. --- bin/ax.sh | 13 ++++--------- man/man1/ax.1df | 6 +++++- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/bin/ax.sh b/bin/ax.sh index 6ce1e9ea..8098125d 100644 --- a/bin/ax.sh +++ b/bin/ax.sh @@ -16,12 +16,7 @@ case $# in ;; esac -# Form program -prog=$(printf ' - BEGIN { - printf "%s\\n", %s - } -' "$form" "$expr") - -# Run program -awk "$prog" +# Important note: there's little stopping the user from putting a fully-fledged +# Awk program into the expression; don't use this anywhere that code injection +# could wreck your life. See manual page ax(1df). +awk -v form="$form" 'BEGIN{printf form,('"$expr"');exit}' diff --git a/man/man1/ax.1df b/man/man1/ax.1df index b3218d37..ffdaabe3 100644 --- a/man/man1/ax.1df +++ b/man/man1/ax.1df @@ -1,4 +1,4 @@ -.TH AX 1df "July 2016" "Manual page for ax" +.TH AX 1df "January 2018" "Manual page for ax" .SH NAME .B ax \- evaluate an awk expression @@ -11,5 +11,9 @@ evaluates an expression given on the command line with awk(1) and prints its result using awk's printf, with an optional format specified preceding the expression. +.SH SECURITY +Note that the second argument has no evaluation protection on it. There's very +little to stop a user putting a fully-fledged awk program in as the second +argument if they needed to. Don't accept untrusted user input in this argument! .SH AUTHOR Tom Ryder -- cgit v1.2.3