Tried to figure out all the POSIX stuff, but POSIX doesn’t like me and my script.
It drives me crazy.
I made an example that is easier to read than my original script.
If the user enters a name like “Safari” it works.
But if there is a space in the setup name like in “Safari 1” the copy command doesn’t work anymore because of the space sign.
Does someone know a solution ?
display dialog "Enter name of new setup:" default answer "" buttons {"OK", "Cancel"} default button 1 with icon note
set SetupName to text returned of result
do shell script "cp $HOME/Desktop/Setups/Standard.plist $HOME/Desktop/Setups/" & SetupName & "/"
AppleScript: 1.10.3
Browser: Firefox 1.5
Operating System: Mac OS X (10.4)
display dialog "Enter name of new setup:" default answer "" buttons {"OK", "Cancel"} default button 1 with icon note
set SetupName to text returned of result
get POSIX path of (path to desktop folder)
do shell script "cp " & quoted form of (result & "Setups/Standard.plist") & space & quoted form of (result & "Setups/" & SetupName & "/")
Okay, so when you run this command from a shell, for example:
Bash needs to know where “rm” lives, so it knows what program to run. It looks in what we call the PATH environment variable. Here’s mine:
This is a list of all the places bash should use to find commands I type. PATH can be anything for different users, and is definable from your shell without authentication–it’s just an environment variable, after all, that exists at the user-level.
I know there aren’t thousands of nasty OS X trojans going around, but that doesn’t mean the following is crap. (This is for everyone who might post and say that I’m being paranoid. This is basic shell scripting, here.)
Imagine a scenario like this:
Bob downloads a program with a malicious payload on it. It’s a shell script that looks like this:
The shell script is installed into “/Users/yourhome/.0wned/rm.sh” when the program is run–since there’s no authentication needed, there’s no prompt or warning–and Bob’s PATH env variable is changed to include “$HOME/.0wned”. When Bob goes to do this:
This is what actually happens:
Which is actually this:
Oops.
The thing is, Bob doesn’t need to be using the Terminal himself to mess things up. It could be a bad piece of AppleScript or shell script (say, an app installer) that does it for him, and he doesn’t know. It’s important to close little, easily closed, holes like this.
We can solve it by explicity defining where a shell command is, when we’re writing shell scripts:
Same goes for AppleScripts:
do shell script "/bin/ls" & space & quoted form of theFolder
Or for complex scripts that might call it several times:
do shell script "ls=/bin/ls ; $ls" & space & quoted form of theFolder & space "| blah blah"
Now, imagine replacing the “cp” or “ls” commands with that malicious rm-based script.
