https://www.linuxjournal.com/content/writing-secure-shell-scripts
The first "What file do you seek?" example is safe. I tried it in bash 4.4
:
cd "$(mktemp -d)"
cat > script <<EOF
echo -n "What file do you seek? "
read name
ls -l $name
EOF
chmod +x script
./script
I entered:
. ; echo EVIL
The output was:
What file do you seek? . ; echo EVIL
ls: cannot access ';': No such file or directory
ls: cannot access 'echo': No such file or directory
ls: cannot access 'EVIL': No such file or directory
.:
total 4
-rwxrwxr-x. 1 Robin Robin 69 Feb 5 08:41 script
As you can see, the attempted malicious code was not executed. The malicious code was passed to ls
as arguments.
I agree that the next example with eval
is dangerous.