[luci] Passing command line args to class luci.sys.call()

[Frank Parker]

Bryan,

1) Thanks!  That makes sense now.

2) Ah, of course.  stderr & stdout...  I was thinking that it was writing a
message onto to the webpage.  I'll have to re-think this.  I'm trying to
get a message on the web page after the shell scripts runs successfully.

-parker


On Wed, May 15, 2013 at 1:32 PM, Bryan Mayland <bmayland at leoninedev.com>wrote:

> On 5/15/2013 1:05 PM, Frank Parker wrote:
>
>>
>> 1) Can you tell me how nixio.fork() provides protection against injected
>> commands?
>>
>> 2) I see io.stderr.write() writes a message on error.  Is there a way to
>> write a message on success?
>>
>>
>>  1) It protects because you've got the name of the executable fixed in
> your code as the first parameter. The user supplied parameters you're
> passing through go in as parameters so they can't be executed. Example:
> user enters "localhost; rm -fR /" as a host they want to ping. Just doing a
> sys call will execute `ping -n 4 localhost; rm -fR /` which will be split
> by the shell into two commands.
>
> exec() on the other hand takes the executable as the first parameter
> ("/bin/ping") and then passes the parameters to that executable regardless
> of what special shell characters they contain.
>
> 2) io.stderr.write() doesn't write a message on error, it writes to the
> stderr output pipe. stderr is one of the two standard outputs of every
> application launched on any operating system and those two are the data
> that comes out when you run something from a terminal. If you're trying to
> log a message from the a LuCI service, look at nixio.syslog()
>
> ______________________________**_________________
> luci mailing list
> luci at lists.subsignal.org
> https://lists.subsignal.org/**mailman/listinfo/luci<https://lists.subsignal.org/mailman/listinfo/luci>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.subsignal.org/pipermail/luci/attachments/20130515/22cff0bc/attachment.html>