* Roland Mas <[EMAIL PROTECTED]> [070521 17:04]:
> > I only had a brief look at it, but I generally recommend to identify
> > a set of allowed and known to be secure characters and only allow
> > these instead of filtering potential malicious characters. So, if
> > the value to be sanitised is a file name you could limit it to "/",
> > a-z, A-Z and 0-9.
>
> The problem is that people have this tendency to put all kinds of
> strange files into CVS, sometimes with strange names, so such a strict
> whitelist is going to make lots of people unhappy. Especially now
> UTF-8 is actually geing used more and more widely, people tend to
> assume it's okay to use non-ASCII characters in file names.
I think the problem is that the argument is given within "s to a shell.
If it was within 's, then ' should be the only dangerous character.
(At least at that point. The called program might have additional holes).
Hochachtungsvoll,
Bernhard R. Link
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
