"sharks" shar checking script

Rich Morin rdm at hoptoad.uucp
Thu Oct 2 04:00:30 AEST 1986 

In article <1814 at utah-gr.UUCP>, thomas at utah-gr.UUCP (Spencer W. Thomas)
points up a gotcha having to do with backquotes in here documents.  My
response in net.sourses.d promises a fix.  Here it is...

:
# sharks - SHell ARchive checK Script (Version 2)
#
# The "shar" utility is really a neat hack, but it scares me silly
# from a security perspective.  I DON'T LIKE giving my session over
# to someone else's script, despite the fact that I can take a few
# precautions.  Scanning a shar file for gotchas is impractical,
# since it takes too much time, and one can still miss things.
# Besides, there is even a nifty gotcha I saw that causes vi to
# perform commands while reading in a file(!)
#
# So, I wrote this piece of paranoid code to help me scan shar files
# in a reasonably efficient manner.  It throws away all the here
# document text (using a somewhat naive algorithm), then throws away
# command lines it (quite conservatively) thinks are safe.  The rest
# of the text goes to standard output, for storage and/or perusal.
#
# I'm sure it isn't foolproof.  (It doesn't even TRY to look at the
# code that is being unpacked...)  Still, the resulting output is
# short and sweet, and it tells me everything I want to know before
# submitting my session to the file...
#
# Usage:  sharks foo bar ...
#
# Copyright (C) 1986, Richard Morin.  All Rights Reserved.
#
# Use it (at your own risk, of course), but don't sell it.  Also,
# please let me know about any problems and/or improvements you find.
#
# Version 2 - looks for backquotes in "unquoted" here documents.
#
# Richard Morin, proprietor	{hoptoad,leadsv,lll-lcc}!cfcl!rdm
# Canta Forda Computer Lab.	+1 415 994 6860
# Post Office Box 1488		Full spectrum consulting services
# Pacifica, CA  94044  USA	for science and engineering.
#
# P.S. Long live awk, sed, and sh ! ! !

P='[0-9A-Za-z_-][0-9A-Za-z_-]*'		# pattern for sed script

sed 's/	/ /' $*				| # kill off tabs
awk '					# kill off here document text
  {
    if (hd != "") {			# here document text
      ss2 = $0				# get test string
      while (substr(ss2,1,1) == " ")
        ss2 = substr(ss2,2)
      if (index(ss2,ss) == 1) {		# end of here text
        hd = ""
        next
      }
      if (hd == "nq" && index(ss2,"`") != 0)
        print "sharks: DANGER! - backquotes in unquoted here document."
    }
    else				# not here document text
      print $0
  }

  /<</ {				# start of here document?
    if (hd != "")			# no, already in one
      next
    ss = $0				# yes, set up flags
    ss = substr(ss,index(ss,"<<")+2)
    while (substr(ss,1,1) == " ")
      ss = substr(ss,2)
    fc = substr(ss,1,1)
    if (fc == "'\''") {			# single quotes used
      hd = "sq"
      ss = substr(ss,2)
      ssq = index(ss,"'\''")
      ss = substr(ss,1,ssq-1)
    }
    else if (fc == "\"") {		# double quotes used
      hd = "dq"
      ss = substr(ss,2)
      ssq = index(ss,"\"")
      ss = substr(ss,1,ssq-1)
    }
    else {				# no quotes used
      if (fc == "\\") {
        hd = "bs"
        ss = substr(ss,2)
      }
      else {
        hd = "nq"
        print "sharks: CAUTION! - unquoted here document."
      }
      if ((sse = index(ss," ")) > 1)
        ss = substr(ss,1,sse-1)
    }
  }
'					|
#
# Note that this code is more than a little bit paranoid.  Keep it
# that way...  The code is also rather sprawling, since there seem
# to be about twenty gazillion different versions of shar floating
# about.  Last, if you don't know what it is, don't play with it!!
#
sed '					# kill off shar noise
  /^ *\/bin\/echo [^`;|(>]*$/d
  /^ *\/bin\/echo [^`;|(>]*; \/bin\/ls [^`;|(>]*$/d
  /^ *\/bin\/ls [^`;|(>]*$/d
  /^ *echo [^`;|(>]*$/d
  /^ *echo [^`;|(>]*([^`;|(>]*)'\'' *$/d
  /^ *echo [^`;|(>]*; ls [^`;|(>]*$/d
  /^ *echo [^`;|(>]*`wc [^`;|(>]*` *$/d
  /^ *else *$/d
  /^ *exit *[0-9]* *$/d
  /^ *fi *$/d
  /^ *fi #[^`;|(>]*$/d
  /^ *if \[ [0-9A-Za-z]*\$'$P' = '$P' ]; then *$/d
  /^ *if \[ `wc -c < [^`;|(>]*` != '$P' ]; then *$/d
  /^ *if test -f '\''[^`;|(>]*'\'' *$/d
  /^ *if test '$P' != \$1 *$/d
  /^ *if test '$P' -ne "`wc -c [^`;|(>]*`" *$/d
  /^ *if test '$P' -ne "`wc -c '\''[^`;|(>]*'\''`" *$/d
  /^ *if test '$P' -ne "`wc -c < '\''[^`;|(>]*'\''`" *$/d
  /^ *ls [^`;|(>]*$/d
  /^ *set `sum [^`;|(>]*` *$/d
  /^ *then *$/d
  /^ *wc [^`;|(>]* | sed [^`;|(>]* | diff -b \$'$P' - *$/d
  /^ *'$P'='$P' *$/d
'
exit 0			# sh doesn't like signature text...
-- 
Richard Morin, proprietor	{hoptoad,leadsv,lll-lcc}!cfcl!rdm
Canta Forda Computer Lab.	+1 415 994 6860
Post Office Box 1488		Full spectrum consulting services
Pacifica, CA  94044  USA	for science and engineering.

More information about the Comp.sources.bugs mailing list