On 28.08.2007 03:05, Simon K. wrote:
place, neither for passwords, nor for something like [email protected]
or other thought-to-be-friendly parameters.
You are talking about two different things. Felix is about sensitive
data, you seem to be about injection. The latter is only a problem, when
the program is executed with other rights than its user, which is
normally not the case with command line programs.
You are right about the two different topics. Sure, it’s very,
very bad to write the password into the command line. But on a
single-user computer, this might be OK nevertheless, so this is up
to the user to decide. He can use public key authentication, then
this is no matter anymore (see PuTTY documentation for more details).
Injection is very bad irrespective of the user rights and which
parameter is vulnerable. If it’s not the password, he might pass the
username to the executed command, then it’s the same. Finally, a
parameter (like the given password) like “%PATH%” will make the
command not work, a password like “; rm -rf /*;” will have other
side effects that are certainly not assumed by the programmer.
String substitution is a good thing if you know precisely what
goes into this string and what is done with the resulting string. If
it is put into Kernel#system() with shell expansion, it’s like
Kernel#eval() – you certainly don’t want to put any arbitrary,
unquoted string into that without careful data checking. But
that’s happening here.
Very bad, indeed, but common practice and good triggers for long
security-related stories in newspapers.