Benjamin Smith wrote:
On Tuesday 26 February 2008, Ralph Angenendt wrote:
There is no mechanism for escaping untrusted input?
Correct. At least there's no magic quoting function.
WHY THE @!#! NOT?!?!?
Bash is used, extensively in many cases, to deal with untrusted data. This can
include random file names in user home directories, parameters on various
scripts, etc. It's highly sensitive to being passed characters that have,
over the past NN years, resulted in quite a number of security holes and
problems.
Perl is probably better for this.
Yet there exists NO MECHANISM for simply ensuring that a given argument is an
escaped string?
How many "homebrew" ISP or hosting administration scripts could be compromised
by simply putting a file in your home directory called ";rm -rf /" ?
why would you do that... it'd be much more interesting to do something like
";usermod -u 0 mylogin"
--
Milton Calnek BSc, A/Slt(Ret.)
milton@xxxxxxxxxx
306-717-8737
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
