is following dangerous?
$ myscript '<somejsoncreatedfromuserdata>' if so, can make not dangerous?
i realize can depend on shell, os, utility used making system calls (if being done inside programming language), etc. however, i'd know kind of things should watch out for.
yes. dangerous.
json can include single quotes in string values (they not need escaped). see "the tracks" @ json.org.
imagine data is:
{"pwned": "you' & kill world;"} happy coding.
i consider piping data in program in question (e.g. use "popen" or version of "exec" passes arguments directly) -- can avoid issues result passing through shell, instance. sql: using placeholders eliminates need trifle "escaping".
if passing through shell way, may option (it not tested, similar holds "<script>" context):
for every character in json, either outside range of "space" "~" in ascii, or has special meaning in '' context of shell such \ , ' (but excluding " or other character -- such digits -- can appear outside of "string" data, limitation of trivial approach), encode character using \uxxxx json form. (per limitations defined above should encode potentially harmful characters appearing within "strings" in json , there should no \\ pairs, no trailing \, , no 's, etc.)
Comments
Post a Comment