Hi!
What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?
For example, say we have this code:
exec("/home/.../myscript.sh '$tu'")
(or with whatever user-defined value other than $tu we may want to use)
Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?
Regards,
Erik
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
