* Roland Mas <[EMAIL PROTECTED]> [070521 17:04]: > > I only had a brief look at it, but I generally recommend to identify > > a set of allowed and known to be secure characters and only allow > > these instead of filtering potential malicious characters. So, if > > the value to be sanitised is a file name you could limit it to "/", > > a-z, A-Z and 0-9. > > The problem is that people have this tendency to put all kinds of > strange files into CVS, sometimes with strange names, so such a strict > whitelist is going to make lots of people unhappy. Especially now > UTF-8 is actually geing used more and more widely, people tend to > assume it's okay to use non-ASCII characters in file names.
I think the problem is that the argument is given within "s to a shell. If it was within 's, then ' should be the only dangerous character. (At least at that point. The called program might have additional holes). Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]