> Risto, is there something we can do to "100%
> guarantee" nullify the
> effects of shell metachars by using built-in escaping or
> similar in Sec?
> I think this is worthy of a feature request to reduce the
> likelihood
> that there could be a log analysis attack on/through Sec
> itself through
> funny injected chars and cmd subshells, command
> continuation characters
> or whatever. I know there is a quoting/noquoting option but
> I'm not sure
> if this is enough or even applies to vars in spawned
> shells?
>
> In it's absence I am simply not using any vars at all
> that could
> potential form a point of injection, but I wouldn't
> mind starting to use
> more if I could be assured of their shell safety...
>
> Could you shed some light on this Risto?
>
Escaping shell metacharacters could be quite tricky issue, because sometimes
users might want to use metacharacters explicitly. As an example, consider a
timestamp creation that is a part of a file path:
cat /tmp/myfile-`date +'%Y%m%d'`. The user could also employ many other shell
metacharacters like &&, ||, etc. Or consider the * metacharacter that could be
handy for listing files in a directory.
Although the shell metacharacter escaping could be introduced to shell
commands, this might also leave you without many features that you would
actually like to use. IMHO, the best way to achieve security here is to write
regexp carefully and assign only known values to variables (e.g., instead \S+
use [\w\-\.]+ for host names), and pass unknown data not on command line, but
through standard input (with 'pipe' action, for instance, or using the way you
posted to the list).
br,
risto
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
