FW: [ploticus] noshell parameter
- Hello Joel,
The -noshell command line option is supposed to prevent any shell commands that a user might supply in a script, from being executed. I haven't heard evidence that this option is generally used much. It is probably not a very rigorous implementation, and the developer should verify that it is working correctly in the necessary contexts, since allowing invocation of user-supplied shell commands can sometimes be a security hole.
The following script constructs are disabled when -noshell is in effect:
file: filename (because this allows shell expansion of wild cards)
I took a quick look around, and it appears the scripts that prefabs invoke, really don't use any of these constructs in any significant way, so it probably is a moot point for prefabs.
The above issue with proc getdata "file" attribute is currently not documented, so I am going to update the manual's description of -noshell accordingly.
If this doesn't answer your question please follow up.
From: email@example.com [firstname.lastname@example.org] On Behalf Of Joel Natividad [joel.natividad@...]
Sent: Tuesday, May 05, 2009 1:41 PM
Subject: [ploticus] noshell parameter
What commands exactly are suppressed by the noshell parameter?
Does it work for both prefab and script modes?
Does it prevent me from passing commandline parms (e.g. ;echo "<?php echo 'hello world'; ?>" > test.php;), etc.?