07-17-2015
@ Corona: Just to be sure, backticks are ` ~= $(cmd)?
@ Chubler: Not yet, break_on_injections will be my first 'general parsing of input' of passed strings within all (most at least) my tui-commands.
From the perspektive of a local user, i'm not aware of injection problems causing more trouble than the local access to the machine anyway.
The main reason i'm currently at this, is because of a feedback when passing strings from a webpage to some (unnamed) tui-command.
In the combination, i hope to keep up the current functionality, and make it more secure.
What i figured so far, and what Rudic confirmed, was that regular strings (quoted inside "), work as expected, but if using hardcoded strings (quoted inside ') will 'trigger' the break_on_injections.
To my understanding, such strings (when passed from a webpage - which tui was not thought/coded for) would (should?) be passed as hardcoded strings, or get properly escaped before passing the the tui-command, using the 'php escape functions' as proposed on the linked wiki page from the first post.
What i thought of was:
1) Make the function available to all the commands, eg: place it in a file that is source anyway.
2) Call the function before the (string-)arguments are processed any further
3) If 'injections' are found, abort with failure.
Going to try this evening.
Thank you
9 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi all
I am looking for a way to ensure that once a user is logged in and running a script, he cannot break out of it.
Thanks
J (12 Replies)
Discussion started by: jhansrod
12 Replies
2. Shell Programming and Scripting
Hi,
I am trying to use sftp in a ksh - Shell script, but not even a simple script like this returns not output:
sftp username@remotehost <<END
ls
END
If I do something like this:
sftp username@remotehost <<END | tee logfile
ls
END
I get this error message:
Warning: tcgetattr... (1 Reply)
Discussion started by: friand
1 Replies
3. Solaris
I am using shell script to do secure ftp. I have done key file setup to do password less authentication. Following are the FTP Details:
FTP Client has Sun SSH.
FTP Server has F-Secure.
I am using SCP Command to do secure copy files. When I am doing this, I am getting the foll error
scp:... (2 Replies)
Discussion started by: ftpguy
2 Replies
4. Shell Programming and Scripting
Hi:
I want to secure (prevent Ctrol+C, or Ctrol+Z, or any kind of aborting) this ksh script:
#!/usr/bin/ksh
clear
echo
print "CSIA RBAC -- CONFIGURACION --"
echo
print "1) Habilitar/Desabilitar RBAC en el sistema"
print "2) Configurar comandos privados"
print "6) Salir"
echo... (5 Replies)
Discussion started by: iga3725
5 Replies
5. Programming
Hi, I have a very large, very old FORTRAN code that I work with. The code is quite messy and I was wondering if I can speed up execution time by finding subroutines that code execution spends the most time in. Is there any kind of software I can use to see where the code spends most of the... (1 Reply)
Discussion started by: rks171
1 Replies
6. Shell Programming and Scripting
Hi guys,
Those who work with Background Oriented Schlieren (BOS) might wonder how to create image pairs suitable for a PIV image processing software.
Here is the code :
#!/bin/bash
# This is a program to read *.jpg files and save them in pairs for postprocessing
nfiles=`ls -1 bild*... (0 Replies)
Discussion started by: chirag.joshi
0 Replies
7. Shell Programming and Scripting
First let me explain the scenario
I have tywo files as usual
file1.txt (it has n rows and 8 columns)
$1 $2 $3 $4 $5 $6 $7 $8
Code:
1234567|iufgt|iuoy|iout|white |black |red |90879
1234567|iufgt|iuoy|iout|green |pink |blue |90879... (3 Replies)
Discussion started by: s.deepak
3 Replies
8. OS X (Apple)
Im needing to create a postinst script for a debian package. I need it to search for this line of script in a plist file located at /folder/folder/folder/folder/folder/file.plist
<key>TESTKEYLINE</key>
<true/>
and after it create a new line and insert this code
<key>KEYNAME</key>... (0 Replies)
Discussion started by: iModdr
0 Replies
9. Shell Programming and Scripting
Hi all,
Need some help in the following code. (Running this code at cygwin in windows vista)
cat /home/ebanpan/Input_Logs/*.log > /home/ebanpan/Input_Logs/input.log
sed '/^Total/d;/^Bye/d;/^Output has been logged/d' /home/ebanpan/Input_Logs/input.log > /home/ebanpan/output.log
this code... (6 Replies)
Discussion started by: bansalpankaj88
6 Replies
LEARN ABOUT DEBIAN
systemd-escape
SYSTEMD-ESCAPE(1) systemd-escape SYSTEMD-ESCAPE(1)
NAME
systemd-escape - Escape strings for usage in systemd unit names
SYNOPSIS
systemd-escape [OPTIONS...] [STRING...]
DESCRIPTION
systemd-escape may be used to escape strings for inclusion in systemd unit names. The command may be used to escape and to undo escaping of
strings.
The command takes any number of strings on the command line, and will process them individually, one after another. It will output them
separated by spaces to stdout.
By default, this command will escape the strings passed, unless --unescape is passed which results in the inverse operation being applied.
If --mangle is given, a special mode of escaping is applied instead, which assumes the string is already escaped but will escape everything
that appears obviously non-escaped.
For details on the escaping and unescaping algorithms see the relevant section in systemd.unit(5).
OPTIONS
The following options are understood:
--suffix=
Appends the specified unit type suffix to the escaped string. Takes one of the unit types supported by systemd, such as "service" or
"mount". May not be used in conjunction with --template=, --unescape or --mangle.
--template=
Inserts the escaped strings in a unit name template. Takes a unit name template such as foobar@.service. May not be used in conjunction
with --suffix=, --unescape or --mangle.
--path, -p
When escaping or unescaping a string, assume it refers to a file system path. This eliminates leading, trailing or duplicate "/"
characters and rejects "." and ".." path components. This is particularly useful for generating strings suitable for unescaping with
the "%f" specifier in unit files, see systemd.unit(5).
--unescape
Instead of escaping the specified strings, undo the escaping, reversing the operation. May not be used in conjunction with --suffix=,
--template= or --mangle.
--mangle
Like --escape, but only escape characters that are obviously not escaped yet, and possibly automatically append an appropriate unit
type suffix to the string. May not be used in conjunction with --suffix=, --template= or --unescape.
-h, --help
Print a short help text and exit.
--version
Print a short version string and exit.
EXAMPLES
To escape a single string:
$ systemd-escape 'Hallochen, Meister'
Hallxc3xb6chenx2cx20Meister
To undo escaping on a single string:
$ systemd-escape -u 'Hallxc3xb6chenx2cx20Meister'
Hallochen, Meister
To generate the mount unit for a path:
$ systemd-escape -p --suffix=mount "/tmp//waldi/foobar/"
tmp-waldi-foobar.mount
To generate instance names of three strings:
$ systemd-escape --template=systemd-nspawn@.service 'My Container 1' 'containerb' 'container/III'
systemd-nspawn@Myx20Containerx201.service systemd-nspawn@containerb.service systemd-nspawn@container-III.service
EXIT STATUS
On success, 0 is returned, a non-zero failure code otherwise.
SEE ALSO
systemd(1), systemd.unit(5), systemctl(1)
systemd 237 SYSTEMD-ESCAPE(1)