[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH OSSTEST v7 01/15] TestSupport: Add helper to fetch a URL on a host

Ian Campbell writes ("[PATCH OSSTEST v7 01/15] TestSupport: Add helper to fetch 
a URL on a host"):
> Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
> ---
> v7: Quote $url and $path, switch to a heredoc to avoid resulting over
>     long line
...

Last time I wrote:

  Do we care that this will break badly if the url contains shell
  metacharacters ?  I think we may do.

but:

> +    $useproxy wget --progress=dot:mega -O \"$path\" \"$url\"

Did you try this with $path or $url containing $ or   or " or \ or ` or
starting with - ?

There are a fair few places in osstest where we're quite lax with this
kind of thing, but (hopefully) only where the information definitely
comes from the configuration (or some other trusted source).  A
general helper like this ought to be robust against that kind of input
(which may well mean failing, but it should not include potentially
executing bits of the input or misinterpreting it as command line
options to wget.

\Q may be of some help.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.