Re: [htdig3-dev] Re: ExternalTransport and shell escaping


Subject: Re: [htdig3-dev] Re: ExternalTransport and shell escaping
From: Geoff Hutchison (ghutchis@wso.williams.edu)
Date: Mon Feb 14 2000 - 13:40:09 PST


On Mon, 14 Feb 2000, Gilles Detillieux wrote:

> > Evidently, we'd need to escape shell meta-characters because they have
> > higher priority than the quotes.
>
> No, that's not right. Either Jonathan is mistaken, or he has a buggy shell
> or popen() on his system. An ampersand inside double quotes is NOT supposed
> to be interpreted by the shell! It would be a good idea to backslash-escape
> certain meta characters that do have special meaning within double quotes,
> but these are limited to `, $, !, and of course " itself.

That's what I thought too, but since I'm an experimentalist, I tried this
from my bash prompt:

handler.pl https "https://bal.com&rm" /etc/htdig/htdig.conf

I was fairly sure that the ampersand was NOT supposed to be interpreted,
but in any case, I didn't have the privs to remove htdig.conf. I got an
error message back from rm. Try it! It might be a bug in bash, but it's a
bit irrelevant--we have to work around it.

> arguments from his script to other programs. Or maybe there's a bug on
> his system. I had tested the external parser quoting fix on my system,
> and it worked.

I dunno. Try the test above from your bash prompt and let me know. I'd say
if *I* can do it reproducibly, then there's some version of bash with this
bug and we need to worry about it from a security standpoint.

-Geoff

------------------------------------
To unsubscribe from the htdig3-dev mailing list, send a message to
htdig3-dev-unsubscribe@htdig.org
You will receive a message to confirm this.



This archive was generated by hypermail 2b28 : Mon Feb 14 2000 - 13:43:09 PST