[htdig3-dev] Re: ExternalTransport and shell escaping


Subject: [htdig3-dev] Re: ExternalTransport and shell escaping
From: Geoff Hutchison (ghutchis@wso.williams.edu)
Date: Mon Feb 14 2000 - 11:36:50 PST


Hi,

Jonathan Stark <stark@starks.org> just pointed out as a bug report
(PR#774) that the ExternalTransport mechanism doesn't really shell escape
the URLs. So for example:

parser https "https://www.blah.com/&rm" /etc/htdig/htdig.conf

This comes from this code:

command << ' ' << _Protocol << " \"" << _URL.get() << "\" " << configFile;

He thinks we should send the URL on STDIN to the script. I said that my
initial feeling was to make this analogous to ExternalParser and pass it
on the command-line. (IMHO, the command-line argument also makes it easier
to debug the script itself.)

Evidently, we'd need to escape shell meta-characters because they have
higher priority than the quotes.

So I think this requires some feedback--do we want to switch to passing in
the URL on the STDIN, or do we want to shell-escape all the
meta-characters?

-Geoff

------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
htdig3-dev-unsubscribe@htdig.org
You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Mon Feb 14 2000 - 11:39:41 PST