[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SpeechIO-195] speechd v0.54 - morse code support
On Mon, 15 Nov 1999, Kyle Burton wrote:
> It's not safe :) You have to seperate the arguments into an array
> when you pass them to system(). I assume the single quotes you have
> used are to account for the possibility of spaces being in $text -- if
> you use the array syntax for system(), the quotes aren't necessary --
> actually, the fact taht you used the quotes shows that you were trying
> to protect the spaces from the shell :) Instead, do something like this:
> This passes $text directly into the argv of $cmd, and no shell is ever
> invoked (so it's more efficient too). To be really safe, you should
> make sure $cmd is fully pathed, i.e. '/usr/bin/morse' instead of just
> 'morse'. Using the array syntax is actualy more efficient too, as
> there is no intermediate shell invoked to parse the arguments.
Cool, that's why I asked.
> Now that I've looked at the code, I kind of relize that we should
> add -T to the command line (which could be a little bit of work
> to make the code taint safe). The code should be converted to use
> an array (@cmd) instead of a scalar ($cmd) to be safe when performing
> exec()s, pipe open()s, and system() calls.
I've wanted taint checking in there since I'd heard about it, but I
completely forgot about it.
PGP fingerprint = 03 5B 9B A0 16 33 91 2F A5 77 BC EE 43 71 98 D4
firstname.lastname@example.org / http://www.op.net/~darxus
Find the next largest prime, be famous: