Loading ...
Sorry, an error occurred while loading the content.

FW: [ploticus] noshell parameter

Expand Messages
  • Stephen Grubb
    Hello Joel, The -noshell command line option is supposed to prevent any shell commands that a user might supply in a script, from being executed. I haven t
    Message 1 of 1 , May 6, 2009
    • 0 Attachment
      Hello Joel,

      The -noshell command line option is supposed to prevent any shell commands that a user might supply in a script, from being executed. I haven't heard evidence that this option is generally used much. It is probably not a very rigorous implementation, and the developer should verify that it is working correctly in the necessary contexts, since allowing invocation of user-supplied shell commands can sometimes be a security hole.

      The following script constructs are disabled when -noshell is in effect:

      #proc getdata
      command: myshellcommand

      #proc getdata
      file: filename (because this allows shell expansion of wild cards)

      #shell
      myshellcommand
      #endshell

      I took a quick look around, and it appears the scripts that prefabs invoke, really don't use any of these constructs in any significant way, so it probably is a moot point for prefabs.

      The above issue with proc getdata "file" attribute is currently not documented, so I am going to update the manual's description of -noshell accordingly.

      If this doesn't answer your question please follow up.

      Steve


      ________________________________________
      From: ploticus@yahoogroups.com [ploticus@yahoogroups.com] On Behalf Of Joel Natividad [joel.natividad@...]
      Sent: Tuesday, May 05, 2009 1:41 PM
      To: ploticus@yahoogroups.com
      Subject: [ploticus] noshell parameter

      Hi Steve,
      What commands exactly are suppressed by the noshell parameter?

      Does it work for both prefab and script modes?

      Does it prevent me from passing commandline parms (e.g. ;echo "<?php echo 'hello world'; ?>" > test.php;), etc.?

      Thanks,
      Joel
    Your message has been successfully submitted and would be delivered to recipients shortly.