On 18 May 2017 at 19:14, R. Scott Evans <[email protected]> wrote: > For internal use, why trouble oneself with the maintenance, excessive > libraries, modules and crud that another "installed" option would require if > you don't need all its features. As far as injecting anything unwanted, > that is the point of only showing a snippet... security is left to the > OP/programmer.
No one should ever encourage use of system() or backticks. It's pretty much 0 cost to do it the right way via say popen. To keep things in topic, I'm glad Cisco has not learned this lesson, in 3850/3650 when they released, I wanted to look into the linux shell, but it was guarded by PKI. Luckily the verification was system(/some/script/to/check/it <userinput>/) and checking the return value. So give poop||true, and you got to the linux shell. Your code has same issue, as every code which does the extremely naive mistake of calling external binaries via shall expansion, when there is almost as simple solution where user input sanity is irrelevant. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
