I would like to enter a value at execution time within the system key
world environment.
However, I am having difficulties entering a value within a quoted
string.
For example, I can hard code the following and it works fine:
In a double quoted string (as well as in a regexp or backtick
expression) you
can substitute insert the value of any expression by enclosing it in
#{}:
never trust parameters or their encoding, or you beg for privilege
escalation problems. The given command will perform both shell
expansion (consider a password like “%PATH%”) and parameter
separation (consider a password like “pw; rm -rf /*”).
escalation problems. The given command will perform both shell
It’s generally a very bad idea to give a password on the command line.
I’m
not sure if Windows keeps a command line history, but all it would take
is
for the DOS Prompt to still be open, and for someone to arrow up.
system(“start putty.exe -X -ssh -pw #{ARGV[0]} myuserid@myhostname”)
never trust parameters or their encoding, or you beg for privilege
escalation problems. The given command will perform both shell
expansion (consider a password like “%PATH%”) and parameter
separation (consider a password like “pw; rm -rf /*”).
It’s generally a very bad idea to give a password on the command line. I’m
not sure if Windows keeps a command line history, but all it would take is
for the DOS Prompt to still be open, and for someone to arrow up.
Sure, but the problem is not limited to passwords. Any input you
cannot control or carefully check is bad if it is used in shell
expansion like the above. So better not start with it at the first
place, neither for passwords, nor for something like username@host
or other thought-to-be-friendly parameters.
I don’t know what Windows does with this command line. On
Linux you may say a simple
$ ps aux | grep ssh
and the whole command line is shown. Some programs like
GnuPG offer the facility to pipe the password to $stdin;
as far as I know BSD Ssh forbids entirely to pass it from
outside.
Maybe host-based authentication is a better solution for
you.
place, neither for passwords, nor for something like username@host
or other thought-to-be-friendly parameters.
You are talking about two different things. Felix is about sensitive
data, you seem to be about injection. The latter is only a problem, when
the program is executed with other rights than its user, which is
normally not the case with command line programs.
You are right about the two different topics. Sure, it’s very, very bad to write the password into the command line. But on a
single-user computer, this might be OK nevertheless, so this is up
to the user to decide. He can use public key authentication, then
this is no matter anymore (see PuTTY documentation for more details).
Injection is very bad irrespective of the user rights and which
parameter is vulnerable. If it’s not the password, he might pass the
username to the executed command, then it’s the same. Finally, a
parameter (like the given password) like “%PATH%” will make the
command not work, a password like “; rm -rf /*;” will have other
side effects that are certainly not assumed by the programmer.
String substitution is a good thing if you know precisely what
goes into this string and what is done with the resulting string. If
it is put into Kernel#system() with shell expansion, it’s like
Kernel#eval() – you certainly don’t want to put any arbitrary, unquoted string into that without careful data checking. But
that’s happening here.
Very bad, indeed, but common practice and good triggers for long
security-related stories in newspapers.
It’s generally a very bad idea to give a password on the command line. I’m
not sure if Windows keeps a command line history, but all it would take is
for the DOS Prompt to still be open, and for someone to arrow up.
Sure, but the problem is not limited to passwords. Any input you
cannot control or carefully check is bad if it is used in shell
expansion like the above. So better not start with it at the first
place, neither for passwords, nor for something like username@host
or other thought-to-be-friendly parameters.
You are talking about two different things. Felix is about sensitive
data, you seem to be about injection. The latter is only a problem, when
the program is executed with other rights than its user, which is
normally not the case with command line programs.
Injection is very bad irrespective of the user rights and which
parameter is vulnerable. If it’s not the password, he might pass the
username to the executed command, then it’s the same. Finally, a
parameter (like the given password) like “%PATH%” will make the
command not work, a password like “; rm -rf /*;” will have other
side effects that are certainly not assumed by the programmer.
But it doesn’t enable the user to do things he isn’t allowed to do, so
it’s not a security problem. But It might make it easier to shoot
yourself in the foot.
mfg, simon … l
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.