On Tue, Feb 26, 2008 at 12:45:41PM -0600, Les Mikesell alleged: > Garrick Staples wrote: > > >>How many "homebrew" ISP or hosting administration scripts could be > >>compromised by simply putting a file in your home directory called ";rm > >>-rf /" ? > > > >It's not as bad as you think because of the order of operations. > > > >In all cases, these perform exactly as a string should regardless of inner > >characters. > > He's probably thinking of a scripted operation that does a > find . -print |xargs some_command > (without print0) or a backtick or $(..) generated expansion. A lot of Yes, so was I. That's why I had some examples of string with quotes being evaluated by the shell. > the usefulness of the shell happens because you can generate and reparse > text programatically and have it become commands - and a side effect is > that metacharacters that appear in the text get processed even if they > aren't what you expected. I think it is kind of silly that common shell > metacharacters are permitted in filenames, but there's not much you > can do about it now. My point is that the problem isn't actually all that bad. Just like all languages, you have to know what you are doing. -- Garrick Staples, GNU/Linux HPCC SysAdmin University of Southern California Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Attachment:
pgpDyEy3vq4q4.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos