-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marek Grzybowski pisze:
> Jens Peter Secher wrote:
>> 2009/9/17 Marek Grzybowski <[email protected]>:
(...)
>>> Andrzej Lemieszek (in CC) found few more, and He escaped them, so use rcs
>>> should be safe to:
>>>
>>> His patch:
>>>
>> [...]
>>> + my $realfile_esc = &escape_shell_chars ($realfile);
>> [...]
>>> - `cp $realfile $compfile`;
>>> + `cp $realfile_esc $compfile_esc`;
>> [...]
>>> +sub escape_shell_chars
>>> +{
>>> + my $arg = shift;
>>> + $arg =~ s/[;<>\*\|`&\$!#\(\)\[\]\{\}:'"\s]/\\$&/g;
>>> + return $arg;
>>> +}
>> This is not going work. When $realfile_esc is different from
>> $realfile, then it makes no sense to copy the non-existent
>> $realfile_esc. I will go for the solution of rejecting weird file
>> names.
>
> You right Jeans, it's no good enought witch "enters",
>
> I also chcked ./bashline.c in bash sources:
>
> /* characters that need to be quoted when appearing in filenames. */
> rl_filename_quote_characters = " \t\n\\\"'@<>=;|&()#$`?*[!:{"; /*}*/
>
> i do some tests, and come up witch this :
Yeah, Marku, you are right. I didn't test my patch with newline characters (I
used semicolons for
testing your exploit), so I didn't notice that newline is a "special case" of
special characters
(see bash(1), section QUOTING) and can't be easly quoted using backslash
Your solution using single quotes is much better ( it smartly overrides the
limitation of single
quotes - that inside single quoted string single quotes can't be escaped), In
the shorter form it
can look like this:
sub escape_shell_chars
{
my $arg = shift;
$arg =~ s/'/'\\''/g;
return "'$arg'";
}
- --
Andrzej Lemieszek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iGUEARECACUFAkqy03keGGhrcDovL3Bvb2wuc2tzLWtleXNlcnZlcnMubmV0AAoJ
EFA6R1rYpZE/eGUAn38bCS8TccE82Tg2VZ+beXhIfIpQAJ9q4FO4jF0GxOCXT67Z
KHqOeLq8gQ==
=wiP3
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
