On Fri, Dec 06, 2019 at 02:40:49PM -0500, songbird wrote: > Greg Wooledge wrote: > ... > > Ideally, you'd just stop trying to use sed with user-supplied variables > > injected into the code. Sed was never built to be safe for that kind of > > work. > > sed was designed to operate on streams. a sequence of > characters is a stream. i don't see any reason why > putting the variable into the middle of that expression > means anything different.
It was designed to accept a program in argv[] and execute that program on its input, which is a stream. You are injecting your end-user variables inside sed's program. This is called code injection. End-user data is being parsed as code by a code interpreter (in this case, sed). The workarounds for this are: 1) Carefully quote/dequote/escape/mangle the end-user data so that after it has been injected into the code, it will achieve the desired goal. 2) Use some other tool or method of supplying the end-user data so that it is never parsed as code by any interpreter. If you insist on doing #1, so be it. It's your damned computer, and your damned problem. I can only warn you and be ignored so many times before I give up and let your fuck yourself, as you so vehemently and stubbornly eager to do.
