On Tue, Feb 26, 2008 at 12:45:41PM -0600, Les Mikesell alleged: > Garrick Staples wrote: > > >>How many "homebrew" ISP or hosting administration scripts could be > >>compromised by simply putting a file in your home directory called ";rm > >>-rf /" ? > > > >It's not as bad as you think because of the order of operations. > > > >In all cases, these perform exactly as a string should regardless of inner > >characters. > > He's probably thinking of a scripted operation that does a > find . -print |xargs some_command > (without print0) or a backtick or $(..) generated expansion. A lot of Yes, so was I. That's why I had some examples of string with quotes being evaluated by the shell. > the usefulness of the shell happens because you can generate and reparse > text programatically and have it become commands - and a side effect is > that metacharacters that appear in the text get processed even if they > aren't what you expected. I think it is kind of silly that common shell > metacharacters are permitted in filenames, but there's not much you > can do about it now. My point is that the problem isn't actually all that bad. Just like all languages, you have to know what you are doing. -- Garrick Staples, GNU/Linux HPCC SysAdmin University of Southern California Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20080226/82d0e258/attachment-0004.sig>