* Alexander Sack: > On Fri, Sep 23, 2005 at 04:38:38PM +0200, Florian Weimer wrote: >> - # Protect quotes and $ in command-line arguments from two shell evals >> - moreargs="$moreargs \"$(echo "$1" | sed -e 's/"/\\\\\\\"/g' \ >> - -e 's/[$]/\\\\\\\$/g')\"" >> + [EMAIL PROTECTED]"$1" >> shift 1 > > > You sure that all escaping and sedding is not needed anymore?
Quite sure, yes. The "[EMAIL PROTECTED]" construct prevents interpretation of shell metacharacters, just like "$@" does. There is another command injection possiblity, via the "-d" option, but its argument appears to be trusted anyway. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]