Passwordless SSH messes with escaped spaces

Jannes Faber jannes.faber at gmail.com
Thu Aug 24 22:41:42 GMT 2006 

Hi,

Thanks for your answer.

Yes that's what I want to do. Well luckily I can tell normal spaces 
apart from escaped ones because the \ is still there (unless there are 
really weird file names that screw that up).

I thought I had actually tried exec "${arr[@]}" (you think enjoy typing 
all those lines? :)  ) but I guess not: works like a charm. Thanks !

Anyway, hoping it might be useful to someone else, here's the version I 
have now (any comments on mistakes or omissions are very welcome!) :

#!/bin/sh
# v0.2  2006-08-25    jannes.faber at gmail.com
#
# Drops any command with any "special" character in it.
#    < > | & ; $ `
#
# Then only allows "rsync --server --sender ..." but retains any
# escaped spaces in the arguments.
#

cmd="$SSH_ORIGINAL_COMMAND"

myself=${0##*/}
logfile="/var/log/${myself}.log"

# Log the command
echo "$(date '+%F %T') $cmd" >> $logfile

# Clean up string
cmd="${cmd/</}"
cmd="${cmd/>/}"
cmd="${cmd/|/}"
cmd="${cmd/&/}"
cmd="${cmd/;/}"
cmd="${cmd/\$/}"
cmd="${cmd/'`'/}"

# Is it still the same? If there were any illegal
# characters, log it and quit directly
[ ! "$cmd" = "$SSH_ORIGINAL_COMMAND" ] && {
  echo "WARNING: previous command contains ILLEGAL characters!" >> $logfile
  exit 1
}

[ ! "${cmd:0:24}" = "rsync --server --sender " ] && exit 1

# ok, seems the command passed all tests. Now fix it so we preserve
# any escaped spaces.
set $cmd
declare -a arr

i=0
for a in $*; do
  arr[$i]="${arr[$i]:+${arr[$i]} }$1"
  if [ "${1%\\}" = "$1" ]; then
    i=$(($i+1))
  else
    arr[$i]="${arr[$i]%\\}"
  fi
  shift 1
done

# Finally, we're ready to run the command!
exec "${arr[@]}"


Jannes Faber

Matt McCutchen wrote:
> So really, your goal is to somehow get back from $SSH_ORIGINAL_COMMAND
> the original arguments, check that the first three are what they
> should be, and then execute the command line without further
> expansion.  Since $SSH_ORIGINAL_COMMAND doesn't give you any way to
> tell spaces between arguments from spaces inside arguments, one can't
> do much better than your approach.
>
> For the final exec, you could just use exec "${arr[@]}" .  Since bash
> does not re-expand the contents of variables when they are used,
> backquotes and other shell constructs in ${arr[@]} will not take
> effect, i.e., you're safe.
>
> Matt
>
> .
>

More information about the rsync mailing list