> > test "hello /etc/* bye" > > Is one instance where the expansion is performed (with ls & echo). > > That will cause problems with things like rm, etc. > ------------------------------- > > Ok... I modified by test case to use `rm` instead of echo: > > while read line; do > rm $line > done > > And the ';' still gets automatically quoted. So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed. Yes. After parameter/variable substitution, the only other operations done by the shell are: - word splitting (separate by $IFS or blanks) - pathname expansion (*,?,[],...) So some security problems can still happen if one doesn't take care to quote all external data: rm "$line" Command execution can't be done, but the user can still remove some file or directory that he shouldn't, or confuse some sub-program by passing unexpected parameters. > > Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data. > Very true, and there's also the problem with cross-site-scripting, format string vulnerabilities, etc.. -- lfr 0/0
Attachment:
pgpLhKilHjybn.pgp
Description: PGP signature
