On Wed, Dec 10, 2014 at 12:38:55PM +0000, Dominic Cleal wrote: > Here's another idea: > > get /files/sys/class/net/*[label()='em1']/address/content > > Instead of putting the unsanitised content directly into the path, you > put it into the quoted string, which significantly reduces the amount of > escaping required. > > To escape safely in that string, you'd double any slashes (as there are > some escape codes) and remove any single quotes (it appears to me that > escaping quotes doesn't work). > > I agree about the direction of an aug_defconst or aug_escape though, the > API should be able to help more with unsanitised data.
I'm having a hard time making variables work at all. For example, is the second set of commands below supposed to work? augtool> get /files/etc/passwd/*[label()='root']/uid /files/etc/passwd/*[label()='root']/uid = 0 augtool> defvar username root augtool> get /files/etc/passwd/*[label()=$username]/uid /files/etc/passwd/*[label()=$username]/uid (o) augtool> get /files/etc/passwd/*[label()='$username']/uid /files/etc/passwd/*[label()='$username']/uid (o) augtool> get /files/etc/passwd/*[label()=username]/uid /files/etc/passwd/*[label()=username]/uid (o) _If_ that worked, then implementing aug_defconst would allow us to sanitize user input quite cleanly. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ _______________________________________________ augeas-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/augeas-devel
