Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Re: Dangerous Characters for system calls

by graff (Chancellor)
on Oct 15, 2013 at 23:53 UTC ( #1058372=note: print w/replies, xml ) Need Help??

in reply to Dangerous Characters for system calls

Following up on the 2nd reply (++ on that one), I think it's hard to imagine a situation where the content from an email form "has to be passed through various Linux system calls." Maybe you think it has to, but I suspect you're wrong.

Whatever Linux processes you're talking about, there are bound to be ways to do what you intend to do without exposing untrusted text to a shell command line.

As for what the "risky" characters are, it's likely that all ASCII characters that match [^^/%@+\w-] are able to invoke "non-literal meanings" in a bash command line. Some (like ~ or #) might only do this if they occur in certain positions.

As for any non-ASCII characters that might happen to show up from a web form, well, who knows... I'd rather not have to experiment with that.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1058372]
[ambrus]: Corion: those are good rules.
[ambrus]: Discipulus: oh sure. the input data has different filenames every time I get them.
[ambrus]: the directory structure may be 1, 2, or 3 deep, it may have spaces in the filename or not, it has dates in various format, different keywords for the same meanings, and the dates and other keywords are assembled in various ways.
[Discipulus]: no ambrus by specification i mean for example license per core instead of per socket, so fields are different

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (13)
As of 2017-03-29 12:18 GMT
Find Nodes?
    Voting Booth?
    Should Pluto Get Its Planethood Back?

    Results (351 votes). Check out past polls.