Hello,
On Sun, May 04, 2014 at 06:52:25PM +0800, Chris Down wrote:
> FRIGN writes:
> > A configuration can look like this:
> >
> > { "\.mp3", "st -e mplayer %s" },
> > { "\.(jpg|png|tiff)$", "feh %s" },
> > { "\.gif", "wget -O /tmp/tmp.gif %s && gifview -a
> > /tmp/tmp.gif" },
> > { "^(http://|https://)?(www\.)?(youtube.com/watch\?|youtu\.be/)",
> > "youtube-viewer %s" }
>
> What happens if you unwittingly open "; rm -rf /; .jpg"? I'm not sure
> system() is really a good idea here.
Indeed, this is a huge concern, even though the argument gets escaped
befored being tossed into the shell. In-house string escape code is
always deemed insecure and incompetent, because of the dynamic nature of
shell script language. So, it's always the best if you can avoid
escaping once and for all.
Luckily, I came up with an alternative way of passing the argument. This
one uses an environment variable to store the argument, and lets the
shell expand the string for us. I've already implemented it, so you can
check it out.
https://github.com/esjeon/soap/commit/cec3f19ee151ab647dc8c5a544cb5e4277992531
Sincrely,
Eon
