Re: bash - safely pass untrusted strings?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Feb 26, 2008 at 12:45:41PM -0600, Les Mikesell alleged:
> Garrick Staples wrote:
> 
> >>How many "homebrew" ISP or hosting administration scripts could be 
> >>compromised by simply putting a file in your home directory called ";rm 
> >>-rf /" ? 
> >
> >It's not as bad as you think because of the order of operations.
> >
> >In all cases, these perform exactly as a string should regardless of inner
> >characters.
> 
> He's probably thinking of a scripted operation that does a
> find . -print |xargs some_command
> (without print0) or a backtick or $(..) generated expansion.  A lot of 

Yes, so was I.  That's why I had some examples of string with quotes being
evaluated by the shell.


> the usefulness of the shell happens because you can generate and reparse 
> text programatically and have it become commands - and a side effect is 
> that metacharacters that appear in the text get processed even if they 
> aren't what you expected.  I think it is kind of silly that common shell 
>  metacharacters are permitted in filenames, but there's not much you 
> can do about it now.

My point is that the problem isn't actually all that bad.  Just like all
languages, you have to know what you are doing.

-- 
Garrick Staples, GNU/Linux HPCC SysAdmin
University of Southern California

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Attachment: pgpDyEy3vq4q4.pgp
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux