Re: [dev][project] soap - a simple xdg-open replacement

From: FRIGN <dev_AT_frign.de>
Date: Sun, 4 May 2014 13:35:24 +0200

On Sun, 4 May 2014 12:23:11 +0100
Chris Down <chris_AT_chrisdown.name> wrote:
 
> That also doesn't really work, as a basic example, "&" is a perfectly
> valid character in a URI without encoding, but it has other meaning to
> most shells (it is a backgrounding operator).
>
> I just think there are too many potential pitfalls.

Wait a second: Don't forget I also do a shell-escape of the incoming
string. If somebody passed

; rm -rf /; .jpg

to my xdg-open, the internal parser would directly convert it to:

'; rm -rf /; .jpg'

and, in this case, pass it to feh as

feh '; rm -rf /; .jpg'

Now, in case you got the idea to just include a ' in the string, the
parser deals with that properly, too, and converts it to a '\''. So,
unless you don't mess it up internally by having a stray ' (like "feh '%
s" for instance), this is perfectly safe.
The action-string in the config.h-rows never gets in touch with the raw
argv[1], but only with the safely escaped version of it.

Cheers

FRIGN

-- 
FRIGN <dev_AT_frign.de>
Received on Sun May 04 2014 - 13:35:24 CEST

This archive was generated by hypermail 2.3.0 : Sun May 04 2014 - 13:36:06 CEST