[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#59817: [PATCH] Fix etags local command injection vulnerability
From: |
Francesco Potortì |
Subject: |
bug#59817: [PATCH] Fix etags local command injection vulnerability |
Date: |
Tue, 06 Dec 2022 16:05:59 +0100 |
>I don't understand why you need an extra pair of quotes in the expanded
>string.
>
> $ echo \''hello; world'
> 'hello; world
>
>As you see, the semi-colon was successfully hidden from the shell.
>
>What am I missing?
That only works at the beginning or end of a string. In general, inside a
single-quoted string, single quotes are not allowed. So, to include a single
quote inside a single-quoted string, you have to:
- close the quoted string using '
- put a literal single quote usign \'
- reopen the quoted string using '
If you want to avoid checking for the special cases of a stray single string at
beginning or end of the original string, you just quote everything qith a
single quote at beginning and end, and then substitute each ' with '\''.
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Stefan Kangas, 2022/12/04
- Message not available
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/05
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability,
Francesco Potortì <=
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Andreas Schwab, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04