[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SpeechIO-195] speechd v0.54 - morse code support



Ok, the new archive should be attached...my notes are in the CHANGELOG
(and I changed the behavior of 'make dist' so it doesn't have a tar.gz
file inside the archive).

I havne't tested it, just modified it (no festival on the laptop right now).


if someone could test, I'd appricaite feedback so we can fixify it...

k

------------------------------------------------------------------------------
"Think determanisticly, act randomly." 
    -- Unknown
mortis@voicenet.com                            http://www.voicenet.com/~mortis
------------------------------------------------------------------------------

On Mon, 15 Nov 1999, Darxus wrote:

> On Mon, 15 Nov 1999, Kyle Burton wrote:
> 
> > It's not safe :)  You have to seperate the arguments into an array 
> > when you pass them to system().  I assume the single quotes you have
> > used are to account for the possibility of spaces being in $text -- if
> > you use the array syntax for system(), the quotes aren't necessary -- 
> > actually, the fact taht you used the quotes shows that you were trying
> > to protect the spaces from the shell :)  Instead, do something like this:
> > 
> > system($cmd,$text);
> > 
> > This passes $text directly into the argv of $cmd, and no shell is ever
> > invoked (so it's more efficient too).  To be really safe, you should 
> > make sure $cmd is fully pathed, i.e. '/usr/bin/morse' instead of just 
> > 'morse'.  Using the array syntax is actualy more efficient too, as
> > there is no intermediate shell invoked to parse the arguments.
> 
> Cool, that's why I asked.
> 
> > Now that I've looked at the code, I kind of relize that we should
> > add -T to the command line (which could be a little bit of work
> > to make the code taint safe).  The code should be converted to use
> > an array (@cmd) instead of a scalar ($cmd) to be safe when performing
> > exec()s, pipe open()s, and system() calls.
> 
> I've wanted taint checking in there since I'd heard about it, but I
> completely forgot about it.
> 
> __________________________________________________________________
> PGP fingerprint = 03 5B 9B A0 16 33 91 2F  A5 77 BC EE 43 71 98 D4
>             darxus@op.net / http://www.op.net/~darxus
>              Find the next largest prime, be famous:
>                 http://www.mersenne.org/prime.htm
> 
> 
> 

new version...