Re: shell script cgi (summary?)

[Andre Breiler <andre.breiler () teamwerk com>]

On Tue, 19 Nov 2002, Brian Fury wrote:

> On Mon, 18 Nov 2002, you wrote:
> > Thanks to everyone who replied regarding my attempts
> > to stuff shell commands into this line:
> >
> > > ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`
>
> top-secret zero-day reasons why this might not work.... but hey it worked for
> me.

It shouldn't as long as you don't change the meaning of it.

> [root@localhost lib]# export LAME=""whoami""""
> [root@localhost lib]# `echo "$LAME" | sed "s#\;##g"`
> root
> [root@localhost lib]#
>
> wh00pz - lookz like command execution to me

Yes that will work because the shell expands the `...` into "whoami".
So that you have:
 [root@localhost lib]# 'whoami'
after expansion.

In the original example the expanded bit got stored in an variable so
the after expansion the command would look like:
 [root@localhost lib]# ua='whoami'
.
So no futher execution (notes I used ' to show that the shell expands
things only once).

> In case you didn't realise - it'z the ` and ` characters around the whole
> expression that allowz uz command execution....

Yes the idea behin `` is that it gets executed and replaced by the output
of it. If this output will get executed depends if you are useing the
output as command (your example) or not (the original example).

Bye Andre'