Subject: Re: [htdig3-dev] Re: ExternalTransport and shell escaping
From: Geoff Hutchison (firstname.lastname@example.org)
Date: Mon Feb 14 2000 - 13:40:09 PST
On Mon, 14 Feb 2000, Gilles Detillieux wrote:
> > Evidently, we'd need to escape shell meta-characters because they have
> > higher priority than the quotes.
> No, that's not right. Either Jonathan is mistaken, or he has a buggy shell
> or popen() on his system. An ampersand inside double quotes is NOT supposed
> to be interpreted by the shell! It would be a good idea to backslash-escape
> certain meta characters that do have special meaning within double quotes,
> but these are limited to `, $, !, and of course " itself.
That's what I thought too, but since I'm an experimentalist, I tried this
from my bash prompt:
handler.pl https "https://bal.com&rm" /etc/htdig/htdig.conf
I was fairly sure that the ampersand was NOT supposed to be interpreted,
but in any case, I didn't have the privs to remove htdig.conf. I got an
error message back from rm. Try it! It might be a bug in bash, but it's a
bit irrelevant--we have to work around it.
> arguments from his script to other programs. Or maybe there's a bug on
> his system. I had tested the external parser quoting fix on my system,
> and it worked.
I dunno. Try the test above from your bash prompt and let me know. I'd say
if *I* can do it reproducibly, then there's some version of bash with this
bug and we need to worry about it from a security standpoint.
To unsubscribe from the htdig3-dev mailing list, send a message to
You will receive a message to confirm this.
This archive was generated by hypermail 2b28 : Mon Feb 14 2000 - 13:43:09 PST