Bug#490605: debian-policy: please discourage the usage of echo -n, and echo in general
On Thursday 04 June 2009 07:14:25 Bill Allombert wrote:
> On Thu, Jun 04, 2009 at 11:53:19AM +0200, Raphael Hertzog wrote:
[...]
> > Ugliness is relative. I have no problem with printf.
>
> Consider this example: the safe "printf" way to do
> echo $BAR
> is
> printf "%s\n" "$BAR"
>
> (in case BAR hold a value like BAR="%s a")
> So printf is slightly unwiedly to use and it can create
> format string attack.
If not used properly, just like many other features/tools can lead to some
sort of security issue. Adding a note that passing variables as the first
argument to printf should only be done when the necessary precautions to
avoid string attacks have been taken. Similar to what it says about temporary
files.
>
> > For the second argument:
> >
> > [ using bash ]
> > $ type printf
> > printf is a shell builtin
> > $ dash
> > $ type printf
> > printf is a shell builtin
> >
> > There's no external executable needed.
>
> Are all these shell builtin compatible with /usr/bin/printf ?
Yes, because printf is well defined.
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Reply to: