syatem command and dummy fields

Jay R. Ashworth jra at baylink.com
Mon May 19 07:31:05 PDT 2008


On Mon, May 19, 2008 at 10:09:25AM -0400, Dennis Malen wrote:
> I am not clear on where you want me to remove the semi colons.

I'll expand.

The point Mark is making, Dennis, is this:

By putting variables into the middle of string the system command is
going to execute, you make the *contents of those variables* critical
to the safety of the system around the programs.

That is: if your program puts into those 2 variables any data that's
directly supplied by a human, then you have to "sanitise" that data:
you need to take out anything which -- if it ended up inside a SYSTEM
command, could cause behaviour you don't want.

What if, for example, you asked a user to supply the file name, and
they said it was ";rm -rf /"?  Think about that for a minute, and you
should see what problem he's talking about.

Cheers,
-- jra
-- 
Jay R. Ashworth                   Baylink                      jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

	     Those who cast the vote decide nothing.
	     Those who count the vote decide everything.
	       -- (Joseph Stalin)


More information about the Filepro-list mailing list