[DGD]External commands
Erwin Harte
harte at xs4all.nl
Sat Mar 31 18:09:20 CEST 2001
On Sat, Mar 31, 2001 at 04:47:22PM +0100, Matthew Jenkins wrote:
>
> On Sat, 31 Mar 2001, Erwin Harte wrote:
>
[...]
>
> > - What if this is called with 'foo | rm -rf /' as 5th parameter?
>
> then you email someone the message "foo | rm -rf /".
Uhm. Ok, my mistake, let me rephrase:
What if f->sp[4].u.string->text contains the text "foo | rm -rf /" as
contents? Do you check for that?
| sprintf(command,"sendmail -bs -F%s <tmail >tmail.out",
| f->sp[4].u.string->text);
| system(command);
You'd end up with:
"sendmail -bs -Ffoo | rm -rf / <tmail >tmail.out"
How do you think system() is going to interpret that?
It's not that I think you don't care, but keep in mind that while you
are using this on a game where you are apparently the only one in
charge, if you're offering the code to others who are not, they might
not be aware of these flaws and find their games/computers hacked or
supposedly private email monitored by third parties who should not be
able to.
Please be careful.
Erwin.
--
Erwin Harte : `Don't mind Erwin, he gets crabby. :)'
harte at xs4all.nl : -- Par Winzell <zell at skotos.net>
List config page: http://list.imaginary.com/mailman/listinfo/dgd
More information about the DGD
mailing list