In message <4a1db1af.3060...@facebook.com>,
David Reiss writes:
>I want to implement a rule that looks something like this...
>
>pattern=invalid data (.*) at context (.*)
>action=shellcmd /path/to/report.sh "invalid data" '$1' '$2'
>
>However, the data and context are not internally controlled, so they
>could possibly contain shell metacharacters. For example, if a log
>message is
>
>invalid data '`touch /root/attack`' at context foo
>
>then the shell command will execute the command 'touch /root/attack'.
>It seems like the -quoting option only affects the rule description. I
>was not able to find any way to ensure that $-substitutions in the
>shellcmd are properly quoted?
Right off the top of my head I would use pipe instead and pass the
data on stdin where it is safe from the shell.
action = pipe '$1 $2' /path/to/report.sh "invalid data"
Having multiple data items does make it a little difficult since pipe
sends a single string in, but if you can use a newline as a delimiter
you can assign a variable on startup:
action = eval %newline (return "\n")
and use:
action = pipe '$1%newline$2' /path/to/report.sh "invalid data"
to get each matched subpattern on a separate line.
Also you could use a description of
description = invalid data $1 $2
action = shellcmd /path/to/report.sh %s
with -quoting but again you have the issue of how to separate out the
two data items.
You could also try using a perl function defined using eval (see the
example in the man page, look for funcptr) and call it:
action = call %safe %makesafe $1 $2; \
shellcmd /path/to/report.sh "invalid data" %safe
where makesafe returns something like:
'`touch /root/attack`' 'foo'
and assigns it to %safe. A sample makesafe function may be:
sub { (my $var1 = $_[0]) =~ tr/'/!/;
(my $var2 = $_[1]) =~ tr/'/!/;
return "'$var1' '$var2'";
}
It replaces single quotes in the data passed in with an exclamation
mark allowing you to use single quotes around the arguments. I think
this works safely.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, &
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://p.sf.net/sfu/creativitycat-com
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
