[Bug 2283] option to execute command without shell

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 6 22:02:10 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2283

Salvador Fandiño <sfandino at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sfandino at yahoo.com

--- Comment #5 from Salvador Fandiño <sfandino at yahoo.com> ---
3 use cases:

- quoting properly requires knowing the user remote shell or
auto-detecting it. This complicates creating scripts that connect to a
bunch of machines and do something.

- security issues: passing some data from an untrusted source (i.e. a
web POST) to a remote machine requires quoting the data. But creating a
generic quoter can be daunting and edge cases or bugs on the shell may
be exploited. This is a similar case to sql injection problem, where
using placeholders is far securer than quoting.

- lazy people: as quoting by hand requires work it is pretty common for
people writing scripts to just ignore the issue completely resulting in
crappy scripts. If it were as easy as adding a flag to the command
line, well maybe more people would use it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list