[luci] Passing command line args to class luci.sys.call()
Bryan Mayland
bmayland at leoninedev.com
Wed May 15 22:32:55 CEST 2013
On 5/15/2013 1:05 PM, Frank Parker wrote:
>
> 1) Can you tell me how nixio.fork() provides protection against
> injected commands?
>
> 2) I see io.stderr.write() writes a message on error. Is there a way
> to write a message on success?
>
>
1) It protects because you've got the name of the executable fixed in
your code as the first parameter. The user supplied parameters you're
passing through go in as parameters so they can't be executed. Example:
user enters "localhost; rm -fR /" as a host they want to ping. Just
doing a sys call will execute `ping -n 4 localhost; rm -fR /` which will
be split by the shell into two commands.
exec() on the other hand takes the executable as the first parameter
("/bin/ping") and then passes the parameters to that executable
regardless of what special shell characters they contain.
2) io.stderr.write() doesn't write a message on error, it writes to the
stderr output pipe. stderr is one of the two standard outputs of every
application launched on any operating system and those two are the data
that comes out when you run something from a terminal. If you're trying
to log a message from the a LuCI service, look at nixio.syslog()
More information about the luci
mailing list