"Self modifying code OR using Bash with a cgi script

It is a well-known and widely accepted principle that self modifying code is dangerous, and should never be done.

Many years ago, when computers had fewer resources and code had to be more compact, very bright individuals would often use self modifying code to create elegant, if somewhat bizarre, solutions to the problem of creating programs to fit in very small spaces.

We no longer have that issue. Computers today have, in most cases, abundant resources.

However there are always circumstances beyond our control that drive us to do things that we would never choose to do on our own.

This FAQ entry describes one of those situations.

The problem encountered is a situation where a Web based form invokes a CGI-bin script that is written in BASH.

Now of course we know you would never write a CGI-bin script in BASH. So for the purposes of this entry we will assume that terrorists have kidnapped your wife and children and will torture, maim, kill, "or worse" them if you do not comply with their demands to write such a script.

(The or worse situation would clearly be something like being forced to use Microsoft based software)

The quick and easy way to process the string of variable assignments that are passed in to a CGI script, is to use the eval command to process those assignments. However as we all know the use of eval is "STRONGLY DISCOURAGED". That is to say we always avoid using eval if there is any way around it.

This is the old way, which is remarkably unsafe:

# read in the cgi input string read foo

#convert some of the encoded strings and things like "&" (left as an exercise for the reader)

#run eval on the string eval $foo

#sit back and discover that the user had put "/bin/rm -rf /" in one of the web form fields, which even if not root will do damage to some part of the file system. Another dangerous string would be a fork bomb.

the safer way:

# read in the cgi input string read foo

#convert some of the encoded strings and things like "&" (left as an exercise for the reader)

# in this case the variable foo below is being given the string after conversion of the encoded string # so you can have an example that really works.

foo='uname=John+smith;email=john.smith@johnsmith.com;phone=999-999-9999;asst=John+smith;aemail=john.smith@ohnsmith.com;aphone=999-999-9999;teamclass=BU14;c1day1=M;c1T1=5:00;c1day2=W;c1T2=5:00;c2day1=T;c2T1=6:30;c2day2=W;c2T2=6:30;c3day1=W;c3T1=6:30;c3day2=F;c3T2=5:00;ADDBOX=;'

IFS=';' read -a arr <<< "$foo"; for i in "${arr[@]}"; do

done;

echo $uname

While this might be a little less clear, it avoids this huge security problem that eval has, that of executing any arbitrary command the user might care to enter into the Web form. Clearly more desirable to do it this way.

NOTE- this example specifically relies on the ";" being used to seperate the variable assignments in the CGI input string - In order for that to happen, YOU MUST convert the "&" chars into ";" chars.

Thissolution was published in the channel by trash, ans was pointed out by lhunath