...
| Code Block | ||
|---|---|---|
| ||
char* search_command; /* provided by the user, looks like 'grep -e...' */ system( search_cmmandcommand); |
In this scenario, the user may actually issue any command, (or multiple commands!) to be arbitrarily executed by the system.
...
| Code Block | ||
|---|---|---|
| ||
#include <string.h>
/* ... */
char* search_command; /* provided by the user, looks like 'grep -e...' */
if (strlen( search_command) < strlen("xgrep")) {
/* handle too-short-command error */
}
{
/* Make sure command is actually a grep variant
* by ensuring command starts with "grep" or "*grep" */
char* location = strstr( search_command, "grep");
if (location != search_command && location != search_command+1) {
/* handle not-a-grep-command error */
}
}
{
/* Eliminate bad chars */
static char bad_chars[] = "$|&>;`\n";
if (strcspn(cp, bad_chars) =!= strlen(cp)) {
/* handle naughty-chars-in-command error */
}
}
/* Sanitize current environment, using spc_sanitize_environment
from previous compliant example */
if (system( search_cmmandcommand) != 0) {
/* handle system error */
}
|
...