Vulnerability Development mailing list archives
Re: shell script cgi (summary?)
From: Philip Rowlands <phr () doc ic ac uk>
Date: Tue, 19 Nov 2002 19:42:43 +0000 (GMT)
On Tue, 19 Nov 2002, Brian Fury wrote:
ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"`[root@localhost lib]# export LAME=""whoami"""" [root@localhost lib]# `echo "$LAME" | sed "s#\;##g"` root
Well yes, if you run it directly. The initial question was about variable assignment. Your example in context: $ cat cgiscript ua=`echo "$HTTP_USER_AGENT" | sed "s#\;##g"` $ export HTTP_USER_AGENT=""whoami"""" $ sh -x ./cgiscript ++ echo whoami ++ sed 's#\;##g' + ua=whoami All those quotes around ""whoami"""" cancel out, BTW. The shell sees: <export><SP><LAME><=><""><whoami><""><""> Cheers, Phil
Current thread:
- shell script cgi c jones (Nov 14)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi c jones (Nov 15)
- Re: shell script cgi Philip Rowlands (Nov 16)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Ed Schmollinger (Nov 17)
- Re: shell script cgi (summary?) c jones (Nov 18)
- Re: shell script cgi (summary?) Brian Fury (Nov 19)
- Re: shell script cgi (summary?) Andre Breiler (Nov 20)
- Re: shell script cgi (summary?) Philip Rowlands (Nov 20)
- Re: shell script cgi (summary?) Brian Hatch (Nov 19)
- Re: shell script cgi Nick Jacobsen (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 14)
- Re: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi mlh (Nov 18)
- <Possible follow-ups>
- RE: shell script cgi Rajko Zschiegner (Nov 16)
- Re: shell script cgi Brian Hatch (Nov 16)
- Re: shell script cgi Ralf Dreibrodt (Nov 17)
- Re: shell script cgi mlh (Nov 18)
- Re: shell script cgi Brian Hatch (Nov 16)