[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Structurally fixing command injection bugs

From: Jim Porter
Subject: Re: Structurally fixing command injection bugs
Date: Wed, 22 Feb 2023 10:57:24 -0800

On 2/22/2023 2:08 AM, Vasilij Schneidermann wrote:
I see several options for moving forward:
- Come up with a different replacement working much like
   `process-lines`, but returning a string instead (I have no idea what
   an appropriate name would be, maybe `command-to-string`?)

Where possible, I think this is probably best, but there are likely times where you really want the benefits of a shell. For example, what if the command you want to run involves a pipeline? One option for this would be to enhance 'shell-command-to-string' so that you can pass it arguments that will be correctly escaped when substituted into the final command string. For example:

  (shell-command-to-string "cat %s | rev" "file with a $weird name.txt")
  ;; Runs "cat 'file with a $weird name.txt' | rev"

(This is similar to what you might do when parameterizing an SQL query or something.)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]