Thanks, John, for your reply also on this matter!
On Feb 15, 3:16 pm, jcbollinger <john.bollin...@stjude.org> wrote:
> It seems like this should do the trick:
> puppet -e '$v="xyz" exec { f: command => "/bin/echo v is \'$v\'",
> logoutput => true }'
:-) Yeah, that would take care of these particular instances.
Now imagine this (in a proper manifest file, so we take shell escaping
out of the picture):
# This is identical to your proposal, right? :
exec { f:
command => "/bin/echo v is '$v'",
logoutput => true
}
Now, how about:
# double-quote, single-quote, double-quote: This causes an error
$v = "'"
or
# This causes an error too
$v = "x'y'z\n@$\"{"
or
# This does _bad_ stuff
$v = "';rm -rf /etc";
My point is, that unless there is some support in puppet for escaping
$v, there is *no* way to use $v reliably in an exec command string,
given an arbitrary $v. For any quoting suggestion you come up with, I
would always be able to come up with a counter-example of $v so that /
etc/passwd gets sent to hackers-r-us.dk.
Unless puppet supports escaping somehow. Which it looks like it
doesn't. Which means, that I have to check all facts and input to
puppet outside of puppet, or my custom facts have to be sanitised or
pre-escaped before puppet sees them, which is a shame! :-(
I'm surprised I can't find an equivalent of Perl's quotemeta or Ruby's
Shellwords.escape. Invaluable for _safe_ shell stuff...
Peter
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
