Sandor Szücs
7/21/2008 4:53:00 PM
On 21.07.2008, at 12:00, Usman Akram wrote:
> i do this but not working :-(
>
> user_name =3D gets
>
> system ('adduser -m $user_name')
0)
Try that in the Interactive Ruby (irb) and you will get the problem.
1)
user_name is your local defined variable, $user_name is another, global
variable name.
$user_name.nil? # returns true
2)
If you want to use your variable in a string you have to use =20
doublequotes "
instead of singlequotes ' and in ruby you can use the following syntax:
"mystring #{var}"
"mystring "+ var
"mystring " << var
one simple solution with proof of shell injection is:
tries =3D 0
username =3D ""
while not username.match(/\A[a-zA-Z0-9]+\Z/)
tries =3D tries.succ
exit! if tries > 3
print "username: "
username =3D gets.chomp.strip
end
system('adduser -m ' + username)
regards, Sandor Sz=FCcs
--=