• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Shell Script on a string
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shell Script on a string

  • Subject: Re: Shell Script on a string
  • From: Hudson Barton <email@hidden>
  • Date: Mon, 18 Nov 2002 11:53:32 -0500
OK. I understand the reasoning. An approach that creates files (to store the string temporarily) should address the problem. This is what John Delacour suggested in the first place.

H.


At 5:43 AM -0800 11/17/02, Randal L. Schwartz wrote:
>>>>> "Hudson" == Hudson Barton <email@hidden> writes:

Hudson> set x to (do shell script ("echo '" & myText & "' | openssl bf -salt
Hudson> -pass pass:" & Password1 & ""))

These are *soooo* unsafe when the password contains odd characters.

Shell quoting, people. Shell metacharacters, people.

Hudson> Which "odd characters" are unsafe? Why are they unsafe?

For "Password1", anything that is a shell metachar, like whitespace,
pound, dollar, ampersand, star, parens, brackets, backlash, backticks,
tilde, semicolon, single or double quotes, less than, greater than,
question mark. And probably a few I didn't notice on my keyboard.

For "myText", single quotes and backslash are significant.

The problem is that you're constructing a command as a single string,
then handing that to the shell to say "parse this into a command".
Shell metachars are all significant at that point. At best, it means
some things will break. At worst, it's a potential security
nightmare.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<email@hidden> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.
References: 
 >Shell Script on a string (From: Hudson Barton <email@hidden>)
 >Re: Shell Script on a string (From: Axel Luttgens <email@hidden>)
 >Re: Shell Script on a string (From: Hudson Barton <email@hidden>)
 >Re: Shell Script on a string (From: Hudson Barton <email@hidden>)

  • Prev by Date: Re: AppleScript 1.6 and Mac OS 8.6
  • Next by Date: Re: Boilerplate 'run' handler for droplets
  • Previous by thread: Re: Shell Script on a string
  • Next by thread: Re: Shell Script on a string
  • Index(es):
    • Date
    • Thread