aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bin/ax.sh17
-rw-r--r--man/man1/ax.1df12
2 files changed, 15 insertions, 14 deletions
diff --git a/bin/ax.sh b/bin/ax.sh
index 6ce1e9ea..0007cbed 100644
--- a/bin/ax.sh
+++ b/bin/ax.sh
@@ -3,8 +3,8 @@
# Count arguments
case $# in
- # If one argument, we assume format is %s
- 1) form=%s expr=$1 ;;
+ # If one argument, we assume format is %s\n
+ 1) form='%s\n' expr=$1 ;;
# If two arguments, first is format, second expression
2) form=$1 expr=$2 ;;
@@ -16,12 +16,7 @@ case $# in
;;
esac
-# Form program
-prog=$(printf '
- BEGIN {
- printf "%s\\n", %s
- }
-' "$form" "$expr")
-
-# Run program
-awk "$prog"
+# Important note: there's little stopping the user from putting a fully-fledged
+# Awk program into the expression; don't use this anywhere that code injection
+# could wreck your life. See manual page ax(1df).
+awk -v form="$form" 'BEGIN{printf form,('"$expr"');exit}'
diff --git a/man/man1/ax.1df b/man/man1/ax.1df
index b3218d37..40125167 100644
--- a/man/man1/ax.1df
+++ b/man/man1/ax.1df
@@ -1,15 +1,21 @@
-.TH AX 1df "July 2016" "Manual page for ax"
+.TH AX 1df "January 2018" "Manual page for ax"
.SH NAME
.B ax
\- evaluate an awk expression
.SH SYNOPSIS
-.B ax '2.0+3.0'
+.B ax
+\&'2.0+3.0'
.br
-.B ax %.2f 'sin(2)'
+.B ax
+\&'%.2f\\n' 'sin(2)'
.SH DESCRIPTION
.B ax
evaluates an expression given on the command line with awk(1) and prints its
result using awk's printf, with an optional format specified preceding the
expression.
+.SH SECURITY
+Note that the second argument has no evaluation protection on it. There's very
+little to stop a user putting a fully-fledged awk program in as the second
+argument if they needed to. Don't accept untrusted user input in this argument!
.SH AUTHOR
Tom Ryder <tom@sanctum.geek.nz>