[Surfraw-devel] Use of eval in surfraw: is really indispensable?
Marco Ippolito
ippolito.marco at gmail.com
Fri Apr 17 13:16:52 UTC 2015
Hi all,
three days ago I installed via sudo apt-get install surfraw in by
Ubuntu 14.04.02 server edition. And it works fine.
In order to understand its inner functioning, I today started to look
and understand the code inside it, and I found eval command is used
few times.
I looked for more info about eval bash command and I found these
interesting info sources:
http://mywiki.wooledge.org/BashFAQ/048
http://mywiki.wooledge.org/BashFAQ/006
where you can read:
"
Generally, eval is correct when at least all of the following are satisfied:
All possible arguments to eval are guaranteed not to produce harmful
side-effects or result in execution of arbitrary code under any
circumstance. The inputs are statically coded, free from interaction
with uncontrolled dynamic code, and/or validated throughly. This is
why functions are important, because YOU don't necessarily have to
make that guarantee yourself. So long as your function documents what
inputs can be dangerous, you can delegate that task to the function's
caller.
The eval usage presents a clean interface to the user or programmer.
The eval makes possible what would otherwise be impossible without far
more large, slow, complex, dangerous, ugly, less useful code.
If for some reason you still need to dynamically build bash code and
evaluate it, make certain you take these precautions:
Always quote the eval expression: eval 'a=b'
Always single-quote code and expand your data into it using printf's
%q: eval "$(printf 'myvar=%q' "$value")"
Do NOT use dynamic variable names. Even with careful %q usage, this
can be exploited.
"
So....my question is: the use of eval in surfraw is really
indispensable, or could be safely replaced?
Looking forward to your kind feedback.
Kind regards.
Marco
More information about the Surfraw-devel
mailing list