apostrophes aren't correctly encoded
akhepcat opened this issue · 2 comments
akhepcat commented
The current code contains an unnecessary escape of the apostrophe within the sed command, causing apostrophes to not be XML encoded correctly. ( Current line 193)
Additionally, by unnecessary use of redirection, you're exposing the password to external processes. Internal bash functions should be used instead for /slightly/ more security.
Here's a quick example of the current (broken), a fixed version, and the internal-only code.
$ ./fixpass.sh
password: a;b'c"d&e<f>g!
raw: a;b'c"d&e<f>g!
broke: a;b'c"d&e<f>g!'
fixed: a;b'c"d&e<f>g!
internal: a;b'c"d&e<f>g!
$ cat fixpass.sh
#!/bin/bash
echo -n "password: "
read USER_PASS
USER_PASS_XML_BROKE=$(echo "$USER_PASS" | sed -e 's~&~\&~g' -e 's~<~\<~g' -e 's~>~\>~g' -e 's~\"~\"~g' -e "s~\'~\'~g" )
USER_PASS_XML_FIXED=$(echo "$USER_PASS" | sed -e 's~&~\&~g; s~<~\<~g; s~>~\>~g; s~\"~\"~g;' -e "s~'~\'~g;" )
USER_PASS_FIX_INT=${USER_PASS//&/&}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//</<}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//>/>}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//\"/"}
USER_PASS_FIX_INT=${USER_PASS_FIX_INT//\'/'}
echo " raw: ${USER_PASS}"
echo " broke: ${USER_PASS_XML_BROKE}"
echo " fixed: ${USER_PASS_XML_FIXED}"
echo "internal: ${USER_PASS_FIX_INT}"