2011/3/27 Raj Mathur (राज माथुर): > On Sunday 27 Mar 2011, Joachim Breitner wrote: >> No, this line is safe with >> $ fgrep -qx "$USER" present >> >> Thanks to the quotes around $USER, the `...` part would not be >> executed. But the quotes should be around every use of USER, in the >> later part of the code your exploit works. > > As Binand pointed out in personal mail, you are absolutely correct and > the shell will not interpret `...` commands in a variable read from a > user.
So, given BASH's treatment of quoted variables, is there any difference between the two? grep -q "^$USER$" present fgrep -qx "$USER" present Regards Osric Xavier Fernandes -- http://mm.glug-bom.org/mailman/listinfo/linuxers
