Comments on: Script day: grep in jar (or zip) files http://geek.co.il/wp/2009/09/14/script-day-grep-in-jar-or-zip-files Thoughts about the universe in general Mon, 06 Sep 2010 20:57:02 +0000 hourly 1 http://wordpress.org/?v=3.1-alpha By: Oded http://geek.co.il/wp/2009/09/14/script-day-grep-in-jar-or-zip-files/comment-page-1#comment-213509 Oded Sun, 08 Nov 2009 23:29:37 +0000 http://geek.co.il/wp/?p=1175#comment-213509 P.S - I don't like preview comments as I think they are redundant. I will investigate adding them anyway though. P.S – I don’t like preview comments as I think they are redundant. I will investigate adding them anyway though.

]]> By: Oded http://geek.co.il/wp/2009/09/14/script-day-grep-in-jar-or-zip-files/comment-page-1#comment-213508 Oded Sun, 08 Nov 2009 23:28:54 +0000 http://geek.co.il/wp/?p=1175#comment-213508 The problem of shell variable escaping is known, and in this simple example (as well as most other scripts I write) I choose to ignore it unless I know for a fact that the values I'm dealing with are expected to include word delimiters (IFR in bash-speak). Specifically in this case, jar files very rarely include white space (I could say "never" as I haven't see such a case in all my years, but as they say - "never say never") and class files are not allowed to include white space in their names by the Java language specification. I do quote the submitted pattern in the above example, because it is always important to make sure user input can't escape into your script, regardless of what it is matched against :-) . The problem of shell variable escaping is known, and in this simple example (as well as most other scripts I write) I choose to ignore it unless I know for a fact that the values I’m dealing with are expected to include word delimiters (IFR in bash-speak).

Specifically in this case, jar files very rarely include white space (I could say “never” as I haven’t see such a case in all my years, but as they say – “never say never”) and class files are not allowed to include white space in their names by the Java language specification.

I do quote the submitted pattern in the above example, because it is always important to make sure user input can’t escape into your script, regardless of what it is matched against :-) .

]]> By: Shlomi Fish http://geek.co.il/wp/2009/09/14/script-day-grep-in-jar-or-zip-files/comment-page-1#comment-213416 Shlomi Fish Sat, 07 Nov 2009 08:31:17 +0000 http://geek.co.il/wp/?p=1175#comment-213416 Hi Oded! Your code here suffers from potential shell-variable injection. See my posts about: <a href="http://community.livejournal.com/shlomif_tech/35301.html" rel="nofollow">Code Injection</a> <a href="http://community.livejournal.com/shlomif_tech/14671.html" rel="nofollow">Shell Variable Injection</a> And why can't we have comment previews here? Stupid and incredibly lame WordPress. Hi Oded!

Your code here suffers from potential shell-variable injection. See my posts about:

Code Injection

Shell Variable Injection

And why can’t we have comment previews here? Stupid and incredibly lame WordPress.

]]>