On Sat, Aug 04, 2012 at 04:42:10PM +0100, Pádraig Brady wrote: > There was a recent change in df in coreutils to sanitize output of paths: > > http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=3ed70fd > > The essential issue fixed there is that control chars in a path will be > converted to '?' (this works in all locales), and doing so will mean > '\n' for example is not output. You could even consider this a potential > security improvement so that arbitrary users couldn't influence the > output of these commands for all users. > > I suggest using the simple inplace replacement function from above. Why replace with a bogus character when you could instead use an octal or hex escape? Wouldn't this still address the underlying problem? Munging the content of a string could break a script consuming the output with no way for the script to recover. -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
