[luci] Passing command line args to class luci.sys.call()

[Frank Parker]

Jow,

Thanks, this is exactly what I needed.  I understand the security concern.
 I should have mentioned that I removed my input validation code to make my
example more succinct.  However, I will use nixio.fork() instead.

Two questions:

1) Can you tell me how nixio.fork() provides protection against injected
commands?

2) I see io.stderr.write() writes a message on error.  Is there a way to
write a message on success?

-parker


On Tue, May 14, 2013 at 1:37 AM, Jo-Philipp Wich <xm at subsignal.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi.
>
> > luci.sys.call("/bin/register $var1 $var2")
>
> You could use luci.sys.call("/bin/register %q %q" %{ var1, var2 })
>
> However keep in mind that this method of passing arguments is
> dangerous as the entire command string passed to call() is run through
> "/bin/sh -c" on your system, so whatever special characters are
> embedded in the command are interpreted by the shell, means a username
> like "test$(rm -rf /)" could inject arbritary commands into the system.
>
> It is better to use nixio for a cleaner way of launching an external
> command:
>
> if nixio.fork() == 0 then
>     -- I'm the child
>     nixio.exec("/bin/register", var1, var2)
>     -- this is only reached if exec() failed
>     io.stderr:write("Oh no, can't exec\n")
> end
>
>
> Hth,
> Jow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlGR994ACgkQdputYINPTPM6DACcCT1FMqdo5Oaib6k/Mw7UqZc+
> iLgAnir4qS6TAEJ/k9pzfUk8+xUCG88P
> =3zqN
> -----END PGP SIGNATURE-----
> _______________________________________________
> luci mailing list
> luci at lists.subsignal.org
> https://lists.subsignal.org/mailman/listinfo/luci
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.subsignal.org/pipermail/luci/attachments/20130515/868020e5/attachment.html>