On Sunday 27 Mar 2011, Binand Sethumadhavan wrote: > 2011/3/27 Joachim Breitner <[email protected]>: > >> grep -q "^$USER$" present > > > > as discussed in the meeting, this is not sufficient. Safer would be > > $ fgrep -qx "$USER" present > > Why is the first one not sufficient? Why is it unsafe?
Both are unsafe. Consider the user who enters his username as (literally): Raj `rm -rf /`Mathur Then your grep command translates to: grep -q "^Raj `rm -rf /`Mathur$" present and if your app is running as root, voila! no more files on your system! The user is marked present too :) The OP needs to do much more thinking about input sanitisation. Regards, -- Raj -- Raj Mathur [email protected] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves -- http://mm.glug-bom.org/mailman/listinfo/linuxers
