中国服务器网
  1. 中国服务器网
  3. Bashvariables在被插入cURL命令时会被屠杀
Intereting Posts
在UNIX中运行脚本的Crontab 如何在Linux中创buildAlt + Tab友好的全屏程序(如游戏)? 为什么复制到system32会自动复制到sysWOW64? 在Qt中,我怎么能注册一个QString到我的系统的剪贴板,无论是引用和不引用? 从命令行运行Scheme 在记事本中打开.pl文件 Apache不会在xampp中运行 如何运行命令,直到成功? 我如何远程处理(低延迟)Raspicam输出? 黑客可以攻击一个网站的FTP,SSH和/或.htaccess文件吗? 如何从IIS迁移到Azure f77有多个无法识别的选项 不能在linux中使用fcntl切换到阻塞模式 如何告诉CMake在哪里放置构build文件? linux eth0不能和bridge一起工作

Bashvariables在被插入cURL命令时会被屠杀

脚本的第一部分如下所示: 

curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'username=username&password=password "https://get_token" >> token.txt token=$(<'token.txt'$'\r') echo "$token"

从echo $令牌的输出看起来很好(417个字符): 

 eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz09IiwibmJmIjoxNDgzOTg5NjgwLCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw

让我们看看当我尝试将令牌插入脚本的下一部分时会发生什么。 

 echo curl -k -X POST -H "Content-Type: application/json" -H "Authorization: AR-JWT "$token"" -H "Cache-Control: no-cache" -d '{  "values":{         "First_Name": "John",   "Last_Name": "Doe",  } } ' "https://randomurl.com"

这是输出: 

 curl -k -X POST -H Content-Type: application/json -H Authorization: AR-JWT eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz0 -H Cache-Control: no-cache -d { OiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw  "values":{         "First_Name": "John",   "Last_Name": "Doe",  } } https://randomurl.com

2令牌传入时发生的事情

  • 令牌中的“9IwibmJmIjoxNDgzOTg5NjgwLCJpc3Mi”被删除

  • 令牌的后半部分(被删除部分之后)被插入到主体中

我试过了:

  • 使用不同的标记
  • 使用令牌而不先传递给文件
  • 移动URL之前的授权标题

所有这些导致相同的行为。

我在Windows 7上使用cygwin64当第二个cURL命令在正确的空间input完整的令牌到cygwin时,它没有任何问题

当set-x被添加到脚本时输出: 

 $ ./variable_testing.sh + ./variable_testing.sh + token=$'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz09IiwibmJmIjoxNDgzOTg5NjgwLCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw\r' + echo $'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz09IiwibmJmIjoxNDgzOTg5NjgwLCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw\r\r' eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz09IiwibmJmIjoxNDgzOTg5NjgwLCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw + echo curl -k -X POST -H '"Content-Type:' 'application/json"' -H '"Authorization:' AR-JWT 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk"' -H '"Cache-Control:' 'no-cache"' -d '{ LCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw  "values":{         "First_Name": "John",   "Last_Name": "Doe",  } } ' $'https://randomurl.com\r' curl -k -X POST -H "Content-Type: application/json" -H "Authorization: AR-JWT eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1" -H "Cache-Control: no-cache" -d { OiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw  "values":{         "First_Name": "John",   "Last_Name": "Doe",  } } https://randomurl.com

上面显示输出的完整,简化的脚本 

 #!/bin/bash set -x logs token="eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIyTVd0bGo4Y1VPYW8xNmdZTlV4QWlFS3RLcTc1b2JsSEN0c3hKWnlxeExCTkRKb1wvKzNSK1l5XC9YUFhoWExLaytJRVdKSE5CTE9MZmxPNksxemFjYXVlM0t1NnFIQjNRXC9QeUxzUTdVSmVOYk9pS3FDeHhcLzk1dz09IiwibmJmIjoxNDgzOTg5NjgwLCJpc3MiOiJwaHgtcmVtc3QtMDAzIiwiX2NhY2hlSWQiOjE0MzA0OCwiZXhwIjoxNDgzOTkzNDAwLCJpYXQiOjE0ODM5ODk4MDAsImp0aSI6IklER0FBNVYwR1pNU0pBTzk5QlVXTzhOMDY5VlRGTiJ9.H3vD-WfZBFXOII4k-cy7Ey2QM9YXytp31m9-Huj9vKw" echo "$token" echo curl -k -X POST -H \"Content-Type: application/json\" -H \"Authorization: AR-JWT $token\" -H \"Cache-Control: no-cache\" -d '{  "values":{         "First_Name": "John",   "Last_Name": "Doe",  } } ' "https://randomurl.com"

第一:你的令牌目前有字面的CRs – 明显的屠杀是由在你的echo输出中打印出来的CR引起的,将光标移回到行的开头,这样你的令牌的一部分被后面的内容覆盖。 要消除它们,可以将文件转换为UNIX文本格式(并确保在生成该文件的任何命令中没有CR),也可以使用: 

 token=$(<token.txt) # read token.txt into "token" variable token=${token//$'\r'/} # strip CRs from token variable

如果你想传递授权标题作为一个单词curl ,不要结束并重新初始化你的引号; 在一组语法引号中保留单个参数。 

 -H "Authorization: AR-JWT $token"

最后,确保你的脚本本身是UNIX格式 – 你的编辑器不是用DOS换行符保存的。