Login or Register to Ask a Question and Join Our Community


Programming

Block ";" in input string

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Programming Block ";" in input string
# 8  
Old 06-21-2006
It's a bad sign when your programming strategy shows up on The Daily WTF. But then, half of the important things I learned, I learned on TDWTF. Smilie

How about escaping things instead?
Code:
// bashescape.c
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
int safe_system(const char *strin)
{
  int m,pos=0;
  char bufout[512];

  for(m=0; (pos<511)&&(strin[m] != '\0'); m++)
  {
    char c=strin[m];
    if(!(isalnum(c) || isspace(c)))
    {
      bufout[pos++]='\\';
      if(pos >= 510) break;
    }

    bufout[pos++]=c;
  }

  fprintf(stderr,"system(\"%s\")\n",bufout);
  return(system(bufout));
}

int main(int argc, char *argv[])
{
  return(safe_system(argv[1]));
}

Code:
# cc bashescape.c -o bashescape
# ./bashescape "echo hello ; world"
system("echo hello \; world")
hello ; world
#

# 9  
Old 06-21-2006
Jim,
I really like the way you handled my problem. After reading your code, I reliezed that what I needed to do was to not only check for semi-colons, but to only allow A-Z, 0-9, and space. Since this is what your code did, I rewrote my routine and would like you to throw rocks at it. I don't want to output any errors, only return to the calling routine.

Code:
#include<stdio.h>
#include<stdlib.h>
#include <ctype.h>
int sysrun(char *command) {
int num;
int m,pos;
char str[80];
char process[39] = "/gers/test/adhoc/syscr/wpleca2unix.sh ";
num=0;
for(m=0; (m<36)&&(command[m] != '\0'); m++)
  {
    char c=command[m];
    if(!(isalnum(c) || isspace(c)))
    {
      return 0;
    }
  }
strcpy(str,process);
strncat(str,command,35);
num = system(str);
return num;
}

# 10  
Old 06-21-2006
Assuming the arguments are never more than 34 chars long then that will work.

Corona actually gave a better solution - ie., let wpleca2unix.sh fend for itself.
What if that code is invoked by some other means than your program - i.e., another programmer decides to let it run on it's own? In general, you should not depend on security with only one secure code layer. IMO.

FWIW:
Code:
for(m=0; command[m]; m++) /* check the whole thing */
  {
    if(!(isalnum(command[m]) || isspace(command[m])))
    {
      return 0;  
    }
  }

And. Consider using regcomp() and friends when you want to test complex character classes in a long string. In this case the ctype.h tests are easy to implement and understand. Most other times they are a nightmare.
# 11  
Old 06-21-2006
Because I use the strncat function to append the command onto the script invokation and I have a maximum length of 35 (or the actual length of command if less then 35), it should work fine. The wpleca2unix.sh script can only be accessed through the oracle database external procedure, which can only be accessed via the C library that I am building.

Thank you for the review, I appreciate it.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Delete all log files older than 10 day and whose first string of the first line is "MSH" or "<?xml"

Dear Ladies & Gents, I have a requirement to delete all the log files in /var/log/test directory that are older than 10 days and their first line begin with "MSH" or "<?xml" or "FHS". I've put together the following BASH script, but it's erroring out: for filename in $(find /var/log/test... (2 Replies)
Discussion started by: Hiroshi
2 Replies

2. Shell Programming and Scripting

How to avoid "Too many arguments" error, when passing a long String literal as input to a command?

Hi, I am using awk here. Inside an awk script, I have a variable which contains a very long XML data in string format (500kb). I want to pass this data (as argument) to curl command using system function. But getting Too many arguments error due to length of string data(payloadBlock). I... (4 Replies)
Discussion started by: cool.aquarian
4 Replies

3. UNIX for Dummies Questions & Answers

Using "mailx" command to read "to" and "cc" email addreses from input file

How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address and column 3 contains “cc” e-mail address to include with same email. Sample input file, email.txt Below is an sample code where... (2 Replies)
Discussion started by: asjaiswal
2 Replies

4. Shell Programming and Scripting

grep with "[" and "]" and "dot" within the search string

Hello. Following recommendations for one of my threads, this is working perfectly : #!/bin/bash CNT=$( grep -c -e "some text 1" -e "some text 2" -e "some text 3" "/tmp/log_file.txt" ) Now I need a grep success for some thing like : #!/bin/bash CNT=$( grep -c -e "some text_1... (4 Replies)
Discussion started by: jcdole
4 Replies

5. Shell Programming and Scripting

tcsh - understanding difference between "echo string" and "echo string > /dev/stdout"

I came across and unexpected behavior with redirections in tcsh. I know, csh is not best for redirections, but I'd like to understand what is happening here. I have following script (called out_to_streams.csh): #!/bin/tcsh -f echo Redirected to STDOUT > /dev/stdout echo Redirected to... (2 Replies)
Discussion started by: marcink
2 Replies

6. Shell Programming and Scripting

how to use "cut" or "awk" or "sed" to remove a string

logs: "/home/abc/public_html/index.php" "/home/abc/public_html/index.php" "/home/xyz/public_html/index.php" "/home/xyz/public_html/index.php" "/home/xyz/public_html/index.php" how to use "cut" or "awk" or "sed" to get the following result: abc abc xyz xyz xyz (8 Replies)
Discussion started by: timmywong
8 Replies

7. Shell Programming and Scripting

Using sed to find text between a "string " and character ","

Hello everyone Sorry I have to add another sed question. I am searching a log file and need only the first 2 occurances of text which comes after (note the space) "string " and before a ",". I have tried sed -n 's/.*string \(*\),.*/\1/p' filewith some, but limited success. This gives out all... (10 Replies)
Discussion started by: haggismn
10 Replies

8. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

9. Shell Programming and Scripting

input string="3MMTQSZ348GGMZRQWMJM4SD6M";output string="3MMTQ-SZ348-GGMZR-QWMJM-4SD6

input string="3MMTQSZ348GGMZRQWMJM4SD6M" output string="3MMTQ-SZ348-GGMZR-QWMJM-4SD6M" using linux shell script (4 Replies)
Discussion started by: pankajd
4 Replies

10. Shell Programming and Scripting

check input = "empty" and "numeric"

Hi how to check input is "empty" and "numeric" in ksh? e.g: ./myscript.ksh k output show: invalid number input ./myscript.ksh output show: no input ./myscript.ksh 10 output show: input is numeric (6 Replies)
Discussion started by: geoffry
6 Replies
Login or Register to Ask a Question