On Wed, May 27, 2009 at 02:33:35PM -0700, David Reiss wrote: > I want to implement a rule that looks something like this... > > pattern=invalid data (.*) at context (.*) > action=shellcmd /path/to/report.sh "invalid data" '$1' '$2' > > However, the data and context are not internally controlled, so they > could possibly contain shell metacharacters. For example, if a log > message is > > invalid data '`touch /root/attack`' at context foo > > then the shell command will execute the command 'touch /root/attack'. > It seems like the -quoting option only affects the rule description. I > was not able to find any way to ensure that $-substitutions in the > shellcmd are properly quoted? What about doing an eval on the captures and removing all metacharacters, then passing the result on report.sh?
-Jason Martin > --David > > ------------------------------------------------------------------------------ > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT > is a gathering of tech-side developers & brand creativity professionals. Meet > the minds behind Google Creative Lab, Visual Complexity, Processing, & > iPhoneDevCamp as they present alongside digital heavyweights like Barbarian > Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users -- I'd rather argue with my wife than a moderator. This message is PGP/MIME signed.
pgpV6y6LMH1yX.pgp
Description: PGP signature
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
