How should I sanitize user input before passing it to% x (its execution)?

Question

How should I sanitize user input before passing it to% x (its execution)?

I take the input line from the user and use it as parameters for the command line command line.

What is the best way to ensure that this input is "safe"? Aka they did not insert "; cd /; rm -rf" or some other ugliness in the field?

Without any disinfection, I have ...

@query = params[:query]
@result = %x( mycommand #{@query} )

I need to get the output of the command, so I can not use the system ("command", "parameters"), since this returns only true or false, but will provide protection.

I know this is dangerous ... thanks in advance.

+3

ruby ruby-on-rails

SWR May 22 '09 at 18:24

source share

4 answers

- , , , . , !

+3

Codebeef 22 '09 19:01

, dwc, (im, , ) IP-, Resolv , A/CNAME PTR IP.

IP-, ptr, . , A/CNAME, , .

+1

mkomitee 23 '09 15:08

Another option, if your commands are limited, you can create a list in the drop-down list of commands and put the arguments in other fields / checkboxes / dropldowns. Then confirm each argument as Mike suggests.

This would prevent any user from entering a value from really making it to the command line.

0

Greenkiwi May 23 '09 at 15:42

source share

dwc · Accepted Answer · 2009-05-22T19:01:37+0000

, , , . , .

. mycommand - , . "rm -rf /", 10 000 , .
/ mycommand "", ? 2 , ?

, mycommand, , : ; . , , .

How should I sanitize user input before passing it to% x (its execution)?

More articles: