[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] How to test against shell code injection?
From: |
Pierre Gaston |
Subject: |
Re: [Help-bash] How to test against shell code injection? |
Date: |
Tue, 9 Jul 2013 09:31:40 +0300 |
On Mon, Jul 8, 2013 at 2:48 AM, adrelanos <address@hidden> wrote:
> Hi,
>
> I wrote a server in bash. It handles potentially untrusted input.
>
> Do you know some code to test if its safe?
>
> I mean and tried something like
>
> $(x) \
> ' \
> `x`
>
> And nothing strange happened. No code execution.
>
> Do you have better suggestions?
>
> Cheers,
> adrelanos
>
Just the usual suggestions: validate your input, quote your "$var",
don't use eval.
Take care if you use shell variables in the arguments of commands that
can write to files, database etc...
eg: sed "s/$var/foo/g" allows sed code injections, writing and reading
arbitrary files (and running arbitrary commands if you use gnu sed)