[英]How do I tell linux bash to ignore backticks?
I'm writing a chef recipe that calls the mysql
command and executes a query. 我正在写一个调用mysql
命令并执行查询的厨师食谱。 The problem is that the query passed into this command can have backticks, and I have no control over that. 问题在于传递给该命令的查询可能带有反引号,而我对此无能为力。 EG I'll do something like this: EG我会做这样的事情:
execute "update_customer_segment_custom_condition_#{no_space_segment_name}" do action :run command "mysql --user=#{user} #{db_name} --execute="CALL someStoredProcedure(\\"A String\\", \\"A QUERY CONTAINING BACKTICKS OVER WHICH I HAVE NO CONTROL THAT NEEDS TO BE PASSED VERBATIM\\");" end
but Bash always complains about the syntax because it tries to interpret the backticks and evaluate. 但是Bash总是抱怨语法,因为它试图解释反引号并进行评估。 How can I tell it to completely ignore that character? 我如何告诉它完全忽略该字符?
FYI this is being called inside a chef execute
block as a command
, hence using # for variables. 仅供参考,这是在厨师execute
块内作为command
调用的,因此对变量使用#。
You could also use an execute
resource in Chef instead of bash
. 您也可以在Chef中使用execute
资源,而不是bash
。 That won't use bash and thus backticks have no special meaning. 那不会使用bash,因此反引号没有特殊含义。
EDIT: 编辑:
To be more specific with the example resource you posted 更具体地讲,您发布的示例资源
execute "update_customer_segment_custom_condition_#{no_space_segment_name}" do
command ['mysql', "--user=#{user}", db_name, '--execute="CALL someStoredProcedure(\"A String\", \"A QUERY CONTAINING BACKTICKS OVER WHICH I HAVE NO CONTROL THAT NEEDS TO BE PASSED VERBATIM\");"']
end
The array form for command
shuts off any processing by the shell. command
的数组形式将关闭外壳程序的所有处理。
this is probably because you build a string with ruby (I dont' know ruby) and then pass it into a shell execute with action run 这可能是因为您使用ruby构建了一个字符串(我不知道ruby),然后将其传递到具有操作运行的shell中。
This already has a problem as your double quotes terminate in middle string: 这已经存在问题,因为双引号终止于中间字符串:
command " mysql --user=#{user} #{db_name} --execute= "CALL someStoredProcedure(\\"A String\\", \\"A QUERY CONTAINING BACKTICKS OVER WHICH I HAVE NO CONTROL THAT NEEDS TO BE PASSED VERBATIM\\");" 命令“ mysql --user =#{user}#{db_name} --execute = ” CALL someStoredProcedure(\\“ Astring \\”,\\“在我无法控制的情况下包含反引号,需要逐字逐句\\” );”
so I wonder if ruby does not give a syntax error here for the supplemental " at the end. 所以我想知道ruby是否在最后没有为补充“”给出语法错误。
the string you want to generate looks (probably) like this: 您要生成的字符串看起来(可能)是这样的:
mysql --user=#{user} #{db_name} --execute="CALL someStoredProcedure(\"A String\", \"A QUERY\");"
you need to generate it like that: 您需要像这样生成它:
mysql --user=#{user} #{db_name} --execute='CALL someStoredProcedure("A String", "A QUERY");"
And the part with "A QUERY" you need to replace all occurences of '
with '\\''
else you can still get a shell code injection. 而带有“ A QUERY”的部分需要用'\\''
替换所有出现的'
,否则您仍然可以获得外壳代码注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.