I'm looking to prevent shell injection. I have some code as follows in my backend in bash:
`cmd $user_input1 $user_input2`
I haven't found a way to exploit this code yet. I was thinking if
user_input1="| ls >/tmp/hi"
then a file called /tmp/hi would be created. This is not the case since special characters like| seem to be ignored and are just passed as literal arguments to cmd. Is there anyway to interpret these special charters to do some shell exploits?
Thank you
Aucun commentaire:
Enregistrer un commentaire