Reid Thompson
5/25/2007 1:52:00 PM
Jenda Krynicky wrote:
> Suraj Kurapati wrote:
>> Jano Svitok wrote:
>>> arg1 = "sdas"
>>> arg2 = "sadada"
>>> `svn-admin #{arg1} #{arg2}`
>> This only works if the arguments do not contain spaces (otherwise you
>> end up with more than 2 arguments!). In general, you should protect the
>> arguments with quotes using Object#inspect:
>>
>> `svn-admin #{arg1.inspect} #{arg2.inspect}`
>>
>> There are special cases when you don't need the particular way non-ASCII
>> characters are expressed (octal escape sequences), but this approach
>> works for most purposes.
>
> And why do you think the quoting rules of the shell/command processor
> match, at least approximately the quoting rules of Ruby?
>
> Imagine
> arg1 = "some `cd /; rm -rf` sss"
>
> now, what does .inspect do with this? It puts double quotes around the
> string. FULLSTOP. What does a unix shell do with something enclosed in
> backticks within a double quoted parameter? It EXECUTES the stuff as a
> COMMAND and inserts the output into the doublequoted string. Try
>
> echo "List is: `ls` and that's all"
>
> in your shell!
>
> Well, do you really want to have such a huge security hole in your
> script? Do you? Imagine the arg1 came from the web! Besides the .inspect
> only promises to return a "human-readable representation of obj".
>
> If you do not need to capture the output of the command please use
>
> system( command, arg1, arg2)
>
> If you do, you need to be more carefull and use a method that was
> designed to be safe. Or make sure and doublesure the arg1 and arg2 only
> contains stuff that's safe. Please!
>
> Jenda
>
see popen.....