-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tool: add command line variables #11346
Conversation
I think 'encode' or 'urlencode' is easier to understand than 'percent' or %. --expand-data "{{fix:urlencode}}", also wouldn't it be easier if it could all be done in one step edit:
ah, I didn't see that. Why would you percent encode the entire thing? Is there really a need for this type of functionality? |
@jay
If you don't use You mostly use bare |
To consider: expanding a variable that contains a null byte. What to do with that null byte if neither |
Most UNIX shells (with few exceptions, e.g. Another option is to just fail with a fatal error if a user tries to expand a variable that contains NUL without using a function that escapes, which I honestly don't think is that horrible. Afterall, this can only happen if the user uses something like |
After having slept on it, I believe I now favor the "fail with a fatal error" option. This will be the most helpful thing to users as it makes it immediately apparent what happens, as removing or replacing the null bytes will lead to more hard-to-debug errors to puzzle users. If we want a replace option, we could instead implement a dedicated function for that purpose. |
I think the documentation should include some note about the security risks. If an attacker is able to modify an environment variable it might be possible to exfiltrate data which might otherwise not be possible. |
Providing clear documentation is of course valuable and a priority. Do you have any proposed wording? An attacker that can change environment variables for curl is a serious attack already before this, since curl will acknowledge several variables outside of this new feature. Also, this new feature is only expanding environment variables that is explicitly asked for, which is a reason we add this |
Me and @emanuele6 brainstormed a bit more on IRC.
We came up with this tweak to support both those things, that I think fits rather nicely:
Import environment variables like this:
|
Personally I think you should be allowed to redefine a variable. While Since variables are only used by the user for |
It works for me. I'll amend. |
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", it can output the contents as a JSON quoted string with "json" and it can URL encode the string with "urlencode". You apply function to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:urlencode}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Closes #11346
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", it can output the contents as a JSON quoted string with "json" and it can URL encode the string with "urlencode". You apply function to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:urlencode}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Closes #11346
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", it can output the contents as a JSON quoted string with "json" and it can URL encode the string with "urlencode". You apply function to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:urlencode}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Closes #11346
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", output the contents as a JSON quoted string with "json", URL encode it with "url" and base 64 encode it with "b64". To apply functions to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:urlencode}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Closes #11346
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", output the contents as a JSON quoted string with "json", URL encode it with "url" and base 64 encode it with "b64". To apply functions to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:urlencode}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Closes #11346
if(use_stdin) | ||
file = stdin; | ||
else { | ||
file = fopen(line, "rb"); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
thanks @jay! |
Add support for command line variables. Set variables with --variable name=content or --variable name@file (where "file" can be stdin if set to a single dash (-)). Variable content is expanded in option parameters using "{{name}}" (without the quotes) if the option name is prefixed with "--expand-". This gets the contents of the variable "name" inserted, or a blank if the name does not exist as a variable. Insert "{{" verbatim in the string by prefixing it with a backslash, like "\\{{". Import an environment variable with --variable %name. It makes curl exit with an error if the environment variable is not set. It can also rather get a default value if the variable does not exist, using =content or @file like shown above. Example: get the USER environment variable into the URL: --variable %USER --expand-url = "https://example.com/api/{{USER}}/method" When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with "trim", output the contents as a JSON quoted string with "json", URL encode it with "url" and base 64 encode it with "b64". To apply functions to a variable expansion, add them colon separated to the right side of the variable. They are then performed in a left to right order. Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data: --variable %HOME=/home/default --expand-variable fix@{{HOME}}/.secret --expand-data "{{fix:trim:url}}" https://example.com/ Documented. Many new test cases. Co-brainstormed-by: Emanuele Torre Assisted-by: Jat Satiro Closes curl#11346
Support command line variables. Set variables with
--variable name=content
or--variable name@file
(where "file" can be stdin if set to a single dash (-)).Variable contents can be expanded in option parameters using
{{name}}"
if the option name is prefixed with--expand-
. This gets the contents of the variablename
inserted, or a blank if the name does not exist as a variable. Insert{{
verbatim in the string by prefixing it with a backslash, like\{{
.You an access and expand environment variables by first importing them. You can select to either require the environment variable to be set or you can provide a default value in case it is not already set. Plain
--variable %name
imports the variable calledname
but exits with an error if that environment variable is not already set. To provide a default value if it is not set, use--variable %name=content
or--variable %name@content
.Example: get the
USER
environment variable into the URL. Fail if USER is not set:When expanding variables, curl supports a set of functions that can make the variable contents more convenient to use. It can trim leading and trailing white space with
trim
, it can output the contents as a JSON quoted string withjson
and it can URL encode the string withurlencode
. You apply the function(s) to a variable expansion, add them colon separated to the right side of the variable. They are then executed in a left to right order.Example: get the contents of a file called $HOME/.secret into a variable called "fix". Make sure that the content is trimmed and percent-encoded sent as POST data. if HOME is not set, use "dummy" as default:
Documented. Eight new test cases.