[7520] in bugtraq
Re: PATCH: faxsurvey
daemon@ATHENA.MIT.EDU (Sir Syko)
Tue Aug 4 20:35:35 1998
Date: Tue, 4 Aug 1998 13:07:04 -0400
Reply-To: sirsyko@BLEEP.ISHIBOO.COM
From: Sir Syko <sirsyko@BLEEP.ISHIBOO.COM>
X-To: dod@muenster.net
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35C71E1E.1B@muenster.net> from Tom at "Aug 4, 98 07:43:42 am"
> Hi.
>
> Here comes the patch for the 'faxsurvey' cgi-script.
> The problem is the quotation marks for the 'eval' command.
> Will they ever learn?
>
> Don't forget to remove/chown 'faxsurvey.orig' after patching.
>
> Cheers
> Tom
how does your "patch" do anything except break the cgi? You are telling perl to
eval the ECHO command which doesnt exist. Also, the quotes still arent properly
terminated.
> +eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"
>
should you not make this:
eval "$ECHO \'$QUERY_STRING\' | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"
which will pass the single quotes to the shell, telling it that this string
should be literal? Even better would be to pass the string through a filter
that strips nasty characters.
Adam
