Re: [code] Any ideas ?

From: Jörgen (di4sig@cse.hks.se)
Date: 10/03/96


> > Just wondering about the code snippet presented below.
> > I may be wrong, but don't we have a recipe for disaster if
> > someone were to put an email address of (for instance) ;rm -rf *
> > or something to that effect?
> > 
> > > sprintf(buf, "mail -s \"%s\" %s <MAILFILE.TXT &", subject, emailaddr);
> > > 
> 
> You could always
> 
> if (strchr(emailaddr, ';') != NULL) {
             ^^^^^^^^^^^^^
             What happens if this would be a '&' instead? Bye bye files

> 
> send_to_char("try again asshole");
> 
> }
> 

Make some kind of generic function that will check the incoming string.
Allow NO Unix shell-characters ; : & > < and you will be fine.

// Zigg
+-----------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
|   http://cspo.queensu.ca/~fletcher/Circle/list_faq.html   |
+-----------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/18/00 PST