On Sun, 4 May 2014 12:48:38 +0100
Chris Down <ch...@chrisdown.name> wrote:
> I did not see that, however that still doesn't really resolve the
> problem. You don't know which shell the user is using.
I suppose taking care of a properly-fortified regex + the included
security from the shell-escapes is sufficient.
Can you give me an example for a shell which can't interpret strings
escaped this way?
> This does not resolve all problems, anyway. Consider `foo 'bar %s'`.
Granted, this problem would exist, if a program designed like foo
existed. I'd consider this a faulty design.
I'm always happy to learn, but the programs I know, which take
commands as arguments, usually do it with a flag at the end followed by
_unquoted_ arguments.
Taking st for example, executing a program in a new shell works this
way:
$ st (opts) -e (command)
Taking one line from the config.h, handling mp3's equates to executing
this command:
{ "\.mp3", "st -e mplayer %s" }
This behaviour is consistent across most terminal emulators I know.
Now, we might ask ourselves if this really is a deficiency in soap or a
general shell-concern, which has already been adressed broadly.
Cheers
FRIGN
--
FRIGN <d...@frign.de>
