23

I am using osascript in Bash to display a message in Notification Center (Mac OS X) via Apple Script. I am trying to pass a text variable from Bash to the script. For a variable without spaces, this works just fine, but not for one with spaces:

Defining

var1="Hello"
var2="Hello World"

and using

osascript -e 'display notification "'$var1'"'

works, but using

osascript -e 'display notification "'$var2'"'

yields

syntax error: Expected string but found end of script.

What do I need to change (I am new to this)? Thanks!

Improve this question

2 Answers 2

Reset to default
38

You could try to use instead :

osascript -e "display notification \"$var2\""

Or :

osascript -e 'display notification "'"$var2"'"'

This fixes the problem of manipulation of variables that contains spaces in bash. However, this solution doesn't protect against injections of osascript code. So it would be better to choose one of Charles Duffy's solutions or to use bash parameter expansion :

# if you prefer escape the doubles quotes
osascript -e "display notification \"${var2//\"/\\\"}\""
# or
osascript -e 'display notification "'"${var2//\"/\\\"}"'"'

# if you prefer to remove the doubles quotes
osascript -e "display notification \"${var2//\"/}\""
# or
osascript -e 'display notification "'"${var2//\"/}"'"'

Thank to mklement0 for this very useful suggestion !

Improve this answer
Sign up to request clarification or add additional context in comments.

17 Comments

...and as for "X is not addressed by this answer" -- just as any answer for generating SQL that allowed injection bugs should be subject to jeers from the crowd, answers for a question on how to properly interface between bash and osascript that don't actually take proper/safe use of osascript into account have good cause to be similarly rejected.
@CharlesDuffy: I wouldn't know how to inject code in this instance (AppleScript doesn't allow placing multiple commands on 1 line; in general, though, the concern about injection is appreciated); in particular, however, the concern about values containing " is valid (in terms of breaking the command); here's the (somewhat cumbersome) remedy, using bash parameter expansion: osascript -e "display notification \"${var2//\"/\\\"}\""
@IdrissNeumann, would you consider adopting mklement0's suggestion re: using parameter expansion to escape any double quotes? I'd feel a lot more comfortable with your answer at the top of the page were that done.
@CharlesDuffy Well done, hadn't thought of that. With escaped double quotes, however, as I suggested (${var2//\"/\\\"}), this exploit will NOT work - or do you see a way around that, too?
@mklement0, ...and that's why I asked Idriss to incorporate your suggestion, rather than to withdraw the answer. I don't have an immediate escape for that, though if I were going to try to create one, I'd probably start poking around Unicode character set conversion logic (being a common weak point), and/or reading the formal language spec.
|
21

This version is completely safe against injection attacks, unlike variants trying to use string concatenation.

osascript \
  -e "on run(argv)" \
  -e "return display notification item 1 of argv" \
  -e "end" \
  -- "$var2"

...or, if one preferred to pass code in on stdin rather than argv:

osascript -- - "$var2" <<'EOF'
  on run(argv)
    return display notification item 1 of argv
  end
EOF
Improve this answer

7 Comments

+1 for a robust solution for passing arbitrary arguments to osascript safely from the command line (though it may be overkill for the case at hand).
Thanks for the more robust solution - I ended up accepting the other one since it is sufficient for the case at hand, where no injection attacks or variables with ` are to be expected.
There's no real reason not to use proper, safe code; when you don't expect an attack is when you are most vulnerable to it.
As an aside: the on run argv line works, despite not enclosing the argument - argv - in parentheses, which is normally required in AppleScript handlers. This curious syntax exception - which only works with handler name run - has been around for a long time (and therefore probably won't go away). The non-exceptional syntax works too, however: on run(argv).
@chepner: Excellent point. Fortunately, those variants of the accepted answer with escaping or removal of double quotes should be safe.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.