Re: sed question

[Greg Wooledge <wooledg@eeg.ccf.org>]

On Fri, Dec 06, 2019 at 02:40:49PM -0500, songbird wrote:
> Greg Wooledge wrote:
> ...
> > Ideally, you'd just stop trying to use sed with user-supplied variables
> > injected into the code.  Sed was never built to be safe for that kind of
> > work.
> 
>   sed was designed to operate on streams.  a sequence of 
> characters is a stream.  i don't see any reason why 
> putting the variable into the middle of that expression 
> means anything different.

It was designed to accept a program in argv[] and execute that program
on its input, which is a stream.

You are injecting your end-user variables inside sed's program.  This
is called code injection.  End-user data is being parsed as code by
a code interpreter (in this case, sed).

The workarounds for this are:

1) Carefully quote/dequote/escape/mangle the end-user data so that
   after it has been injected into the code, it will achieve the desired
   goal.

2) Use some other tool or method of supplying the end-user data so that
   it is never parsed as code by any interpreter.

If you insist on doing #1, so be it.  It's your damned computer, and your
damned problem.  I can only warn you and be ignored so many times
before I give up and let your fuck yourself, as you so vehemently and
stubbornly eager to do.