Hi, Am Sonntag, den 27.03.2011, 12:52 +0530 schrieb Osric Fernandes: > 2011/3/27 Raj Mathur (राज माथुर): > > On Sunday 27 Mar 2011, Joachim Breitner wrote: > >> No, this line is safe with > >> $ fgrep -qx "$USER" present > >> > >> Thanks to the quotes around $USER, the `...` part would not be > >> executed. But the quotes should be around every use of USER, in the > >> later part of the code your exploit works. > > > > As Binand pointed out in personal mail, you are absolutely correct and > > the shell will not interpret `...` commands in a variable read from a > > user. > > So, given BASH's treatment of quoted variables, is there any > difference between the two? > > grep -q "^$USER$" present > fgrep -qx "$USER" present
yes. If present contains: Anup Deepak and $USER is set to “.*” then the first one will return true (because the regular expression .* matches at least one line in present) while the second will correctly say that it is not in present. You have to distinguish between special characters interpreted by bash and special characters interpreted by grep. Greetings, Joachim -- Joachim Breitner e-Mail: [email protected] Homepage: http://www.joachim-breitner.de ICQ#: 74513189 Jabber-ID: [email protected]
signature.asc
Description: This is a digitally signed message part
-- http://mm.glug-bom.org/mailman/listinfo/linuxers
