Ways to provide arguments to a command executed by `bash -c`

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












In someone's reply to one of my posts (which I forgot), I remember



bash -c "somecommand $1" bash $somevariable


instead of



bash -c "somecommand $somevariable"


I saw this example again in findutils manual



find -exec sh -c 'something "$@"' sh ;


instead of 



find -exec sh -c "something " ;


Do the two examples have the same reason to use the first solution instead of the other solution?
If yes, what is it?



Inspired Why does command injection not work in this example?
and Is the following the only form of command injection in bash?




bash command




share|improve this question

















  • 2




    The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
    – Tim Kennedy
    Jun 7 at 15:26










  • The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
    – schily
    Jun 7 at 15:52










  • @schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
    – ilkkachu
    Jun 7 at 19:10






  • 1




    AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
    – schily
    Jun 7 at 19:22






  • 1




    @schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
    – Stéphane Chazelas
    Jun 8 at 14:59















up vote
1
down vote

favorite












In someone's reply to one of my posts (which I forgot), I remember



bash -c "somecommand $1" bash $somevariable


instead of



bash -c "somecommand $somevariable"


I saw this example again in findutils manual



find -exec sh -c 'something "$@"' sh ;


instead of 



find -exec sh -c "something " ;


Do the two examples have the same reason to use the first solution instead of the other solution?
If yes, what is it?



Inspired Why does command injection not work in this example?
and Is the following the only form of command injection in bash?




bash command




share|improve this question

















  • 2




    The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
    – Tim Kennedy
    Jun 7 at 15:26










  • The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
    – schily
    Jun 7 at 15:52










  • @schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
    – ilkkachu
    Jun 7 at 19:10






  • 1




    AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
    – schily
    Jun 7 at 19:22






  • 1




    @schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
    – Stéphane Chazelas
    Jun 8 at 14:59













up vote
1
down vote

favorite









up vote
1
down vote

favorite











In someone's reply to one of my posts (which I forgot), I remember



bash -c "somecommand $1" bash $somevariable


instead of



bash -c "somecommand $somevariable"


I saw this example again in findutils manual



find -exec sh -c 'something "$@"' sh ;


instead of 



find -exec sh -c "something " ;


Do the two examples have the same reason to use the first solution instead of the other solution?
If yes, what is it?



Inspired Why does command injection not work in this example?
and Is the following the only form of command injection in bash?




bash command




share|improve this question













In someone's reply to one of my posts (which I forgot), I remember



bash -c "somecommand $1" bash $somevariable


instead of



bash -c "somecommand $somevariable"


I saw this example again in findutils manual



find -exec sh -c 'something "$@"' sh ;


instead of 



find -exec sh -c "something " ;


Do the two examples have the same reason to use the first solution instead of the other solution?
If yes, what is it?



Inspired Why does command injection not work in this example?
and Is the following the only form of command injection in bash?





bash command





share|improve this question












share|improve this question




share|improve this question








edited Jun 8 at 13:43
























asked Jun 7 at 15:15









Tim

22.5k61222401




22.5k61222401







  • 2




    The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
    – Tim Kennedy
    Jun 7 at 15:26










  • The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
    – schily
    Jun 7 at 15:52










  • @schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
    – ilkkachu
    Jun 7 at 19:10






  • 1




    AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
    – schily
    Jun 7 at 19:22






  • 1




    @schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
    – Stéphane Chazelas
    Jun 8 at 14:59













  • 2




    The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
    – Tim Kennedy
    Jun 7 at 15:26










  • The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
    – schily
    Jun 7 at 15:52










  • @schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
    – ilkkachu
    Jun 7 at 19:10






  • 1




    AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
    – schily
    Jun 7 at 19:22






  • 1




    @schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
    – Stéphane Chazelas
    Jun 8 at 14:59








2




2




The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
– Tim Kennedy
Jun 7 at 15:26




The answer is explained in the question you linked to in your question (unix.stackexchange.com/q/448443/674): ` The reason for this is that the ‘’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.`
– Tim Kennedy
Jun 7 at 15:26












The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
– schily
Jun 7 at 15:52




The last find example will usually not work as POSIX only grants that simple arguments are expanded at all.
– schily
Jun 7 at 15:52












@schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
– ilkkachu
Jun 7 at 19:10




@schily, depends on what you mean with "usually". GNU find replaces anywhere in the strings, and according to documentation, so do the finds on FreeBSD and OpenBSD. So does the one that comes on Macs. I suppose those together are a significant portion of the finds in use.
– ilkkachu
Jun 7 at 19:10




1




1




AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
– schily
Jun 7 at 19:22




AIX does not expand it, HP-UX does not, Solaris does not, sfind/libfind does not. Looks like a 4:3 ration against expansion.
– schily
Jun 7 at 19:22




1




1




@schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
– Stéphane Chazelas
Jun 8 at 14:59





@schily, AIX, HP-UX and Solaris AFAIK all have the the same AT&T find implementation and account for probably less than 1% of the systems in operation on topic on unix.stackexchange.com. GNU+busybox+freebsd+macOS probably account for more than 90% of the find implementations out there, and all do the expansions. (I'd rather they didn't though as that would get rid of a lot vulnerabilities in poorly written scripts). Or IOW, most people will have never come across an implementation that doesn't do the expansion.
– Stéphane Chazelas
Jun 8 at 14:59
















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448453%2fways-to-provide-arguments-to-a-command-executed-by-bash-c%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f448453%2fways-to-provide-arguments-to-a-command-executed-by-bash-c%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more