From 47cf35e2342f32149ba608851c4a514758447944 Mon Sep 17 00:00:00 2001
From: Tom Ryder <tom@sanctum.geek.nz>
Date: Thu, 11 Jan 2018 19:18:05 +1300
Subject: Make first ax(1df) arg safer, warn on second arg

The format in the first argument does not need to be evaluated, so it
can be passed in a simple awk variable.

The second argument is evaluated, by design, so code injection is
trivial. It's probably a good idea to warn users about this explicitly.

    $ ax '0);system("cat /etc/passwd")'

Make the whole thing a little terser, too, with the awk program
construction, variable assignment, and invocation all on one line.
---
 bin/ax.sh | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

(limited to 'bin')

diff --git a/bin/ax.sh b/bin/ax.sh
index 6ce1e9ea..8098125d 100644
--- a/bin/ax.sh
+++ b/bin/ax.sh
@@ -16,12 +16,7 @@ case $# in
         ;;
 esac
 
-# Form program
-prog=$(printf '
-    BEGIN {
-        printf "%s\\n", %s
-    }
-' "$form" "$expr")
-
-# Run program
-awk "$prog"
+# Important note: there's little stopping the user from putting a fully-fledged
+# Awk program into the expression; don't use this anywhere that code injection
+# could wreck your life. See manual page ax(1df).
+awk -v form="$form" 'BEGIN{printf form,('"$expr"');exit}'
-- 
cgit v1.2.3