[CentOS] bash - safely pass untrusted strings?

Milton Calnek milton at calnek.com
Tue Feb 26 16:33:07 UTC 2008



Benjamin Smith wrote:
> On Tuesday 26 February 2008, Ralph Angenendt wrote:
>>> There is no mechanism for escaping untrusted input?
>> Correct. At least there's no magic quoting function.

> WHY THE @!#! NOT?!?!?
> 
> Bash is used, extensively in many cases, to deal with untrusted data. This can 
> include random file names in user home directories, parameters on various 
> scripts, etc. It's highly sensitive to being passed characters that have, 
> over the past NN years, resulted in quite a number of security holes and 
> problems. 

Perl is probably better for this.

> 
> Yet there exists NO MECHANISM for simply ensuring that a given argument is an 
> escaped string? 
> 
> How many "homebrew" ISP or hosting administration scripts could be compromised 
> by simply putting a file in your home directory called ";rm -rf /" ? 

why would you do that... it'd be much more interesting to do something like
";usermod -u 0 mylogin"


-- 
Milton Calnek BSc, A/Slt(Ret.)
milton at calnek.com
306-717-8737


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the CentOS mailing list