home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!dtix!darwin.sura.net!wupost!cs.utexas.edu!csc.ti.com!tilde.csc.ti.com!fstop.csc.ti.com!choctaw!peterson
- From: peterson@choctaw.NoSubdomain.NoDomain (Bob Peterson)
- Newsgroups: alt.gopher
- Subject: Escaping shell metacharacters
- Message-ID: <1992Jul24.205632.17295@csc.ti.com>
- Date: 24 Jul 92 20:56:32 GMT
- Sender: usenet@csc.ti.com
- Reply-To: peterson@csc.ti.com
- Organization: Texas Instruments Computer Science Lab
- Lines: 28
- Nntp-Posting-Host: choctaw
-
-
- Over the past few days I used Mike Macgirvin's
- (mtm@camis.Stanford.EDU) WHOIS/FINGER hack (alt.gopher article
- <mtm.711060422@CAMIS>) to implement in our Gopher 1.01 queries of the
- local Archie index. In doing so I suddenly discovered my Archie query
- using the regular expression ^emacs caused _execution_ of emacs, rather
- than executing the archie shell script with an argument of ^emacs. The
- shell (/bin/csh under SunOS 4.1.2) interpreted the caret as a
- metacharacter, terminated the line up to and including the caret, then
- executed emacs.
-
- In short, gopherd`s exec: processing needs to strip or escape
- characters with special meaning. Failing to handle special characters
- opens a security hold, e.g., if instead of searching for files matching
- the regular expression "^emacs" I had searched for "^rm -rf *", well,
- you get the idea.
-
- The new code should probably go into gopherd/special.c just after
- line 64, "s[strlen(s)-1] = '\0';". I've not yet debugged the necessary
- code.
-
- Bob
-
- --
- Bob Peterson Work: peterson@csc.ti.com Expressway Site
- Texas Instruments Home: peterson@zgnews.lonestar.org North Building
- P.O. Box 655474, MS238 TIMSG: RWP Landline: +1 214 995 6080 Aisle A4
- Dallas, Tx USA 75265 FAX line: +1 214 995 0304 2-88V97
-
