Cleanse the tmp variable before running eval on it. This is to prevent
execution of commands that a hidden in variable values read from a config
file. We only need to resolve the values of variables and don't want
the execution of a subshell command initated by either $(...) or `...` .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
return 1
fi
else
+ # don't let eval execute subshells: removed '`' and
+ # convert '$(' to '('
+ tmp=$(echo "$tmp" | sed -e 's/\$(/(/g' -e 's/`\(.*\)`/\1/g')
echo $(eval echo "$tmp")
fi