> On Sun, Sep 21, 2014 at 06:56:27PM -0400, David T. Lewis wrote: >> If you are booting directly into the image, you may find it useful to >> also >> load CommandShell/OSProcess into your image. This will let you open a >> Smalltalk shell window directly within your Squeak/Pharo boot image, so >> that you have access to the operating system with actually opening any >> windows or terminal sessions outside of your image. >> >> http://www.squeaksource.com/CommandShell >> http://www.squeaksource.com/OSProcess > > In view of ShellShock, from a PipeableOSProcess example: > > | env | > env := OSProcess thisOSProcess environment copy. > env at: #SHOCKED put: '() { :;}; echo ShellShocked;'. > (PipeableOSProcess command: 'echo Nah environment: env) output > > This gives the following. (Yes, this is done on an unpatched bash for demo > purposes. Everyone should patch as soon as you can.) > > ShellShocked > Nah > > I have a webapp that shells out to some OS command line tool. I think I > have > written it such that untrustworthy web input does not taint the command > line > tool's environment and input. I think. Everyone doing similar may wish to > relook at it. > > David, perhaps the code is already there, but can we run OS commands > without > invoking the shell? > > Pierce > >
Yes, you can run any executable command as an external OS process. It is usually easier to run /bin/sh as the command and let the shell do the parsing, but you can run any program you like. And you can also do the "shell" in native Smalltalk with CommandShell, although this is not a complete simulation of a unix shell, so sometimes it is better to use the real /bin/sh program. Dave
