Hacker News new | past | comments | ask | show | jobs | submit login

Your quoting of "$0" does not protect it from the shell. An attacker need only provide an input such as: /tmp"; rm -rf /; "

Not true.

  $ sh -c 'ls "$0"' '/tmp"; rm -rf /; "'
  ls: cannot access /tmp"; rm -rf /; ": No such file or directory
If you were right, there would be no reasonable way to write shell scripts.



My mistake, not knowing python's variable interpoltion well, I thought that the $0 was expanded by it, not the shell. Which, if it were the case, would indeed be vulnerable.

Isn't it a bit harsh to downvote to -1 a comment which links to two completly on-topic libraries?


Your comment would be correct if it were PHP.


I didn't downvote you, fwiw.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: