Re: [Help-bash] How to test against shell code injection?

help-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] How to test against shell code injection?

From:	Pierre Gaston
Subject:	Re: [Help-bash] How to test against shell code injection?
Date:	Tue, 9 Jul 2013 09:31:40 +0300

On Mon, Jul 8, 2013 at 2:48 AM, adrelanos <address@hidden> wrote:
> Hi,
>
> I wrote a server in bash. It handles potentially untrusted input.
>
> Do you know some code to test if its safe?
>
> I mean and tried something like
>
> $(x) \
>   ' \
> `x`
>
> And nothing strange happened. No code execution.
>
> Do you have better suggestions?
>
> Cheers,
> adrelanos
>

Just the usual suggestions: validate your input, quote your "$var",
don't use eval.
Take care if you use shell variables in the arguments of commands that
can write to files, database etc...
eg: sed "s/$var/foo/g" allows sed code injections, writing and reading
arbitrary files (and running arbitrary commands if you use gnu sed)

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-bash] How to test against shell code injection?, adrelanos, 2013/07/07
- Re: [Help-bash] How to test against shell code injection?, Chris Down, 2013/07/08
  - Re: [Help-bash] How to test against shell code injection?, adrelanos, 2013/07/10
- Re: [Help-bash] How to test against shell code injection?, Pierre Gaston <=
  - Re: [Help-bash] How to test against shell code injection?, adrelanos, 2013/07/10

Prev by Date: Re: [Help-bash] What are the default values of signal handles?
Next by Date: Re: [Help-bash] How to test against shell code injection?
Previous by thread: Re: [Help-bash] How to test against shell code injection?
Next by thread: Re: [Help-bash] How to test against shell code injection?
Index(es):
- Date
- Thread