Re: [Help-bash] How to test against shell code injection?

help-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-bash] How to test against shell code injection?

From:	adrelanos
Subject:	Re: [Help-bash] How to test against shell code injection?
Date:	Wed, 10 Jul 2013 13:40:18 +0000

Pierre Gaston:
> On Mon, Jul 8, 2013 at 2:48 AM, adrelanos <address@hidden> wrote:
>> Hi,
>>
>> I wrote a server in bash. It handles potentially untrusted input.
>>
>> Do you know some code to test if its safe?
>>
>> I mean and tried something like
>>
>> $(x) \
>>   ' \
>> `x`
>>
>> And nothing strange happened. No code execution.
>>
>> Do you have better suggestions?
>>
>> Cheers,
>> adrelanos
>>
> 
> Just the usual suggestions: validate your input, quote your "$var",
> don't use eval.
> Take care if you use shell variables in the arguments of commands that
> can write to files, database etc...
> eg: sed "s/$var/foo/g" allows sed code injections, writing and reading
> arbitrary files (and running arbitrary commands if you use gnu sed)

Thanks. I keep that in mind. I was looking for such kind of safe coding
advice.

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-bash] How to test against shell code injection?, adrelanos, 2013/07/07
- Re: [Help-bash] How to test against shell code injection?, Chris Down, 2013/07/08
  - Re: [Help-bash] How to test against shell code injection?, adrelanos, 2013/07/10
- Re: [Help-bash] How to test against shell code injection?, Pierre Gaston, 2013/07/09
  - Re: [Help-bash] How to test against shell code injection?, adrelanos <=

Prev by Date: Re: [Help-bash] How to test against shell code injection?
Next by Date: Re: [Help-bash] How to test against shell code injection?
Previous by thread: Re: [Help-bash] How to test against shell code injection?
Next by thread: [Help-bash] What are the default values of signal handles?
Index(es):
- Date
- Thread