Subject: Re: [htdig3-dev] Re: ExternalTransport and shell escaping
From: Gilles Detillieux (email@example.com)
Date: Mon Feb 14 2000 - 12:35:33 PST
According to Geoff Hutchison:
> Jonathan Stark <firstname.lastname@example.org> just pointed out as a bug report
> (PR#774) that the ExternalTransport mechanism doesn't really shell escape
> the URLs. So for example:
> parser https "https://www.blah.com/&rm" /etc/htdig/htdig.conf
> This comes from this code:
> command << ' ' << _Protocol << " \"" << _URL.get() << "\" " << configFile;
> He thinks we should send the URL on STDIN to the script. I said that my
> initial feeling was to make this analogous to ExternalParser and pass it
> on the command-line. (IMHO, the command-line argument also makes it easier
> to debug the script itself.)
> Evidently, we'd need to escape shell meta-characters because they have
> higher priority than the quotes.
No, that's not right. Either Jonathan is mistaken, or he has a buggy shell
or popen() on his system. An ampersand inside double quotes is NOT supposed
to be interpreted by the shell! It would be a good idea to backslash-escape
certain meta characters that do have special meaning within double quotes,
but these are limited to `, $, !, and of course " itself.
> So I think this requires some feedback--do we want to switch to passing in
> the URL on the STDIN, or do we want to shell-escape all the
My preference would be to use the command line, rather than the standard
input, and quote the meta characters above. It doesn't look to me like
that would solve Jonathan's problem, though. Maybe he's passing unquoted
arguments from his script to other programs. Or maybe there's a bug on
his system. I had tested the external parser quoting fix on my system,
and it worked.
-- Gilles R. Detillieux E-mail: <email@example.com> Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil Dept. Physiology, U. of Manitoba Phone: (204)789-3766 Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
------------------------------------ To unsubscribe from the htdig3-dev mailing list, send a message to firstname.lastname@example.org You will receive a message to confirm this.
This archive was generated by hypermail 2b28 : Mon Feb 14 2000 - 12:38:26 PST