prevent command line invalid argument

[crysram]

Hi everybody ,
I have a problem with command line arguments . I'm writing a program that requires them , and my very first purpose , of course , is to reject invalid input such as "./myprog 4#2 3..2" etc... But the problem is , when I enter the ';' the Linux system thinks of that as a command to be executed next (ls ; rm for example ! Oh my god ! ).Because the shell grab the chance to interpret commands first , my program can do nothing ! So how can I handle that problem -how to prevent the ';' or whatever similar ?
I have a feeling that it's a common kind of possible exploitation a malicious user may make , isn't it ? If yes , how can we prevent , in general ?

[kakariko81280]

I'd argue that as a rule you don't have a problem here. If the user enters a dodgy command then the fault is with them and it is not your program's job to fix it.

More so, I'd say that if you could fix it you still shouldn't because it changes the behaviour of the shell and could cause problems when people legitimately want to separate their commands with a semicolon.

The only example I could think of is if you are accepting user input and concatenating it onto another command.

Code:

chris@angua:~/dev/scratch$ cat test.sh
#!/bin/bash
/bin/bash -c "echo $1"

chris@angua:~/dev/scratch$ ./test.sh test
test
chris@angua:~/dev/scratch$ ./test.sh 'test ; echo error'
test
error

My dodgy test.sh allows a user to inject another command as a parameter using the semicolon but if they inject an rm command into a program running as them, then they might as well just run rm and be done with it.

If you program is suid, or a script on a webserver then you would have a problem, but in that case you should be treating user input like toxic waste anyway.

Let us know how you get on,

Chris...

[crysram]

I forgot to tell you the details ... I'm just a student learning to program on Linux ,and the program I'm currently writing is "x to the power y" , so the input should (!) be digit chars only .
Btw , may I ask another question , which is about dynamic library , here ? I mean , should start a new thread or not ?

[kakariko81280]

Then I stand by my previous "Not your problem" statement. Semicolons aren't getting passed to you app so they aren't there for you to validate or fix.

Validating the rest of the input to only accept numbers should be fairly straight forward but would be heading into the realms of helping with assignments which is against the forum rules.

As for your dynamic library question, start a new thread so the topic matches the subject line. It will get more relevant people looking at your question and makes it easier for people with your problem to search for any solutions you get given.

Let us know how you get on,

Chris...

[i92guboj]

It's really difficult to tell you what to do and how to do it without knowing the details. But, on first place, there must be special characters, like ; or &, the shell needs a way to control some things and there's no way you can avoid that without hurting on a big manner the bash capabilities.

If you want bash to treat some characters textually and bypass their special meaning for bash, you must 'escape' them. In bash, you can escape a character by putting a backslash in front of it, for example, a common case is when you want to pash a ';' on a find -exec command, like this:

Code:

cd /etc; find . -name '*.conf' -exec ls -l '{}' \;

In that command, the first ';' is interpreted by bash, meaning that a new command is being appended after "cd /etc". The second one, is escaped, and as such, it's not interpreted by bash, but, instead, it's based to the exec part of find, acting as its terminator.

A simpler example would be this one:

Code:

$ echo Honkey; donkey; monkey

This fails, because bash interprets this as lots of separate commands. On the contrary:

Code:

$ echo Honkey\; donkey\; monkey
Honkey; donkey; monkey

Produces the expected output. In echo you can hard quote the whole thing as well:

Code:

$ echo 'Honkey; donkey; monkey'
Honkey; donkey; monkey

In a bash script, when you quote something, then it's all part of a given parameter, so, parameters can hold spaces as long as they are quoted or escaped. For example, if you save this as test.sh:

Code:

#!/bin/bash
echo $1
echo $2

Then this will happen:

Code:

$ ./test 1 2 3
1
2
$ ./test "1 2 3 4 5;" 6
1 2 3 4 5;
6

As you see, it's all a matter of using it correctly, not only how you design the script.

I forgot to tell you the details ... I'm just a student learning to program on Linux ,and the program I'm currently writing is "x to the power y" , so the input should (!) be digit chars only .

You should start by checkign that the number of params is correct:

Code:

# If number of params is not 2, then echo help message
# and exit with status 1, usually 0 is clean exit
if [ ! $# == 2 ] 
then
  echo "Help text"
  exit 0
fi

Once you have that sorted, you can also check that the values are correct using "case" instructions, but I doubt you'll find a 100% correct way to match only integers, the closest I can think of is [0-9]*, but that will match anything starting with a cypher from 0-9, inclusing 4foo, for example. I would just use anything other than bash if you need to do anything more complex that to sum up to integers. Bash maths suck big time.

Btw , may I ask another question , which is about dynamic library , here ? I mean , should start a new thread or not ?

I don't know what do you mean. There's not anything like a bash compiler, and as such there're not bash dynamic libraries or something like that.

[crysram]

Thanks a lot for your help .
The program I write is in C - I forgot to tell this also , sorry

[i92guboj]

Thanks for your help .
Sorry,the program I write is in C , not bash !

Sorry, I got confused, but still most of what I told you still applies. You need to quote and escape your arguments correctly, it doesn't matter which language you used to write your program. What matters is the shell you are using, and that's almost for sure bash, which is the default linux shell on most distros. If you need to pass chars like ; or & to your programs, you must escape them on the shell first. There's nothing your program can do to overcome that.