Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Dangerous Characters for system calls

by graff (Chancellor)
on Oct 15, 2013 at 23:53 UTC ( #1058372=note: print w/ replies, xml ) Need Help??


in reply to Dangerous Characters for system calls

Following up on the 2nd reply (++ on that one), I think it's hard to imagine a situation where the content from an email form "has to be passed through various Linux system calls." Maybe you think it has to, but I suspect you're wrong.

Whatever Linux processes you're talking about, there are bound to be ways to do what you intend to do without exposing untrusted text to a shell command line.

As for what the "risky" characters are, it's likely that all ASCII characters that match [^^/%@+\w-] are able to invoke "non-literal meanings" in a bash command line. Some (like ~ or #) might only do this if they occur in certain positions.

As for any non-ASCII characters that might happen to show up from a web form, well, who knows... I'd rather not have to experiment with that.


Comment on Re: Dangerous Characters for system calls
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1058372]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (7)
As of 2014-09-17 07:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (65 votes), past polls