|
|
Subscribe / Log in / New account

How to fix the whole catagory of shell injection

How to fix the whole catagory of shell injection

Posted Dec 6, 2024 20:16 UTC (Fri) by Wol (subscriber, #4433)
In reply to: How to fix the whole catagory of shell injection by raven667
Parent article: Abusing Git branch names to compromise a PyPI package

> Maybe this could be a pragma comment in the scripts, like how you can ignore warnings with shellcheck, so you can say "yes please interpret and expand the arguments in this command" when that _is_ what you want to do in a way that is visible in the script.

The Pr1mos shell (early 80s) had something exactly like this. I don't remember the details, but v18 had a Command Processor Language (CPL) with all sorts of globbing. That then became part of the shell proper with v19. And I do remember something about switches where you could tell the shell to glob or not glob, and stuff like that. It's too long ago, but I do miss that power - so much of the past has been lost ...

Cheers,
Wol

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds