#3135 Issue open: Hardcoded 'eval $command' is problematic and against "final power to the user"¶

Labels: enhancement, cleanup, discuss / RFC

jsmeix opened issue at 2024-01-22 11:02:¶

In default.conf we describe several cases
where the user can specify commands to be run by ReaR
and we run those user specified commands usually via

eval $command

to make it easier for the user to specify e.g.

command='echo current date: $( date )'

and get $... evaluated not when it is specified
but when it is executed.

But in general eval arbitrary $... is problematic, cf.
https://github.com/rear/rear/pull/3089#discussion_r1412293833
and the subsequent comments therein.

And with the hardcoded eval the user can not specify
when he does not want to get $... evaluated like

command='echo to show the date use "echo current date: $( date )"'

because

# command='echo to show the date use "echo current date: $( date )"'

# $command
to show the date use "echo current date: $( date )"

# eval $command
to show the date use echo current date: Mon 22 Jan 2024 11:53:31 AM CET

By the way: Note the mising double quote characters with eval ...

So our hardcoded 'eval $command' is problematic
and it is against final power to the user.

Therefore I am thinking about to remove our hardcoded 'eval'
and explain in default.conf that the user must manually
specify 'eval' when he needs it.

So instead of

command='echo current date: $( date )'

the user would have to specify

command='eval echo current date: $( date )'

and ReaR could simply and safely call plain $command
for example like

# command='eval echo current date: $( date )'

# $command ; sleep 1 ; $command
current date: Mon 22 Jan 2024 11:59:39 AM CET
current date: Mon 22 Jan 2024 11:59:40 AM CET

---

[Export of Github issue for rear/rear.]