Bugtraq mailing list archives

Re: PATCH: faxsurvey

From: sirsyko () BLEEP ISHIBOO COM (Sir Syko)
Date: Tue, 4 Aug 1998 13:07:04 -0400

Hi.

Here comes the patch for the 'faxsurvey' cgi-script.
The problem is the quotation marks for the 'eval' command.
Will they ever learn?

Don't forget to remove/chown 'faxsurvey.orig' after patching.

Cheers
        Tom


how does your "patch" do anything except break the cgi? You are telling perl to
eval the ECHO command which doesnt exist. Also, the quotes still arent properly
terminated.

+eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"


should you not make this:

eval "$ECHO \'$QUERY_STRING\' | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"

which will pass the single quotes to the shell, telling it that this string
should be literal?  Even better would be to pass the string through a filter
that strips nasty characters.

Adam

Current thread:

PATCH: faxsurvey Tom (Aug 04)
- Re: PATCH: faxsurvey Sir Syko (Aug 04)
  - Re: PATCH: faxsurvey Illuminatus Primus (Aug 05)
- RSI.0007.05-26-98.SUN.LIBAUTH RSI Advise (Aug 04)