[Bug 2283] option to execute command without shell
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 6 22:02:10 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2283
Salvador Fandiño <sfandino at yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sfandino at yahoo.com
--- Comment #5 from Salvador Fandiño <sfandino at yahoo.com> ---
3 use cases:
- quoting properly requires knowing the user remote shell or
auto-detecting it. This complicates creating scripts that connect to a
bunch of machines and do something.
- security issues: passing some data from an untrusted source (i.e. a
web POST) to a remote machine requires quoting the data. But creating a
generic quoter can be daunting and edge cases or bugs on the shell may
be exploited. This is a similar case to sql injection problem, where
using placeholders is far securer than quoting.
- lazy people: as quoting by hand requires work it is pretty common for
people writing scripts to just ignore the issue completely resulting in
crappy scripts. If it were as easy as adding a flag to the command
line, well maybe more people would use it.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list