[CentOS] bash - safely pass untrusted strings?
Milton Calnek
milton at calnek.com
Tue Feb 26 16:33:07 UTC 2008
Benjamin Smith wrote:
> On Tuesday 26 February 2008, Ralph Angenendt wrote:
>>> There is no mechanism for escaping untrusted input?
>> Correct. At least there's no magic quoting function.
> WHY THE @!#! NOT?!?!?
>
> Bash is used, extensively in many cases, to deal with untrusted data. This can
> include random file names in user home directories, parameters on various
> scripts, etc. It's highly sensitive to being passed characters that have,
> over the past NN years, resulted in quite a number of security holes and
> problems.
Perl is probably better for this.
>
> Yet there exists NO MECHANISM for simply ensuring that a given argument is an
> escaped string?
>
> How many "homebrew" ISP or hosting administration scripts could be compromised
> by simply putting a file in your home directory called ";rm -rf /" ?
why would you do that... it'd be much more interesting to do something like
";usermod -u 0 mylogin"
--
Milton Calnek BSc, A/Slt(Ret.)
milton at calnek.com
306-717-8737
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list