in reply to safe quoting for shell parameters

If you're reading the command to execute from the user, they can already run whatever command they want. What's the point of trying to stop them from being tricky with shell escapes when they can just run their program directly, by sending it to you in $cmd?

A design like this only makes sense if you pretty much completely trust the person sending input to the script.

Replies are listed 'Best First'.
Re: Re: safe quoting for shell parameters
by Gunstick (Initiate) on Jan 01, 2004 at 22:40 UTC
    Where do I say that reading the command from the user imply they can run any command??? This is not true.
    In this case the user cannot run any command, it is a part of an ssh wrapper script and the variable to parse escape-free is $SSH_ORIGINAL_COMMAND
[reply]

In Section Seekers of Perl Wisdom