Programming

To prevent injection, I want to exit the attached routine if a semi-colon is in the input string. I am using gcc as the compiler.

#include<stdio.h>
#include<stdlib.h>
int sysrun(char *command) {
int num;
char str[80];
char process[39] = "/xxxx/xxxx/xxxxx/xxxxx/xxxxxx2unix.sh ";
num=0;
strcpy(str,process);
strncat(str,command,35);
num = system(str);
return num;
}

Any thing that is passed via the command string, will be appended as replacement values on the command line. What I want to do is detect if a ";" is in the command string so that I can exit the application without allowing injection. Any help would be appreciated.

I don't quite get what you are trying to do, but this is probably what you want.

Code:

if(strstr(command,";")) {
                fprintf(stdout,"command strings has a ';' in it!\n");
                exit(-1);
}

Shells let you do stuff like this:
command1 ; command2
and that is exactly what you want to prevent. But what about:
command1 && command2
command || command2
One of those would work, depending on the exit code from your shell script. This is probably legal too:
command1 & command2
And there are other variants. The best way to protect yourself is to get rid of system() and instead just fork() and exec().

I am passing a command line option to an oracle external procedure script. Internally the shell script will parse the command line option, but I needed to protect my invokation from imbedded unix commands, which is why I wanted to exit on a semi colon.

I think I get what you want.

Code:

#!/bin/ksh
echo "$@" | grep -q ';' 
if [ $? -eq 0 ] ; then
   echo "invalid parameters"
   exit 1
fi

Thanks for the idea, however the test needed to be inside my "C" application.

ok -

Code:

for(i=1;i<argc;i++)
{
   if(strchr(argv[i],';')!=NULL)
   {
       fprintf(stderr,"%s\n","invalid parameter");
       exit(EXIT_FAILURE);      
   }
}