On Tue, Feb 26, 2008 at 12:45:41PM -0600, Les Mikesell alleged:
Garrick Staples wrote:
How many "homebrew" ISP or hosting administration scripts could be compromised by simply putting a file in your home directory called ";rm -rf /" ?
It's not as bad as you think because of the order of operations.
In all cases, these perform exactly as a string should regardless of inner characters.
He's probably thinking of a scripted operation that does a find . -print |xargs some_command (without print0) or a backtick or $(..) generated expansion. A lot of
Yes, so was I. That's why I had some examples of string with quotes being evaluated by the shell.
the usefulness of the shell happens because you can generate and reparse text programatically and have it become commands - and a side effect is that metacharacters that appear in the text get processed even if they aren't what you expected. I think it is kind of silly that common shell metacharacters are permitted in filenames, but there's not much you can do about it now.
My point is that the problem isn't actually all that bad. Just like all languages, you have to know what you are doing.