Ted wrote:
Kees, is there some way to validate a command line to make sure you're not causing any security holes by calling shell variables that you don't mean to? It seems like there should be something generic out there.
Sorry, I'm way busy. From the looks of it, glib provides g_shell_quote(), which should be used in a per-argument fasion. e.g. if the extension is running:
PROGRAM ARG1 ARG2 SVGPATH
via something like:
sprintf("%s %s %s %s", program, arg1, arg1, path);
Then each element should be quoted:
prog_q = g_shell_quote(program); arg1_q = g_shell_quote(arg1); arg2_q = g_shell_quote(arg2); path_q = g_shell_quote(path); sprintf("%s %s %s %s", prog_q, arg1_q, arg2_q, path_q); g_free(prog_q); g_free(arg1_q); g_free(arg2_q); g_free(path_q);
However, I much more recommend using arrays for doing execution, since that forces the right arguments and stops any kind of shell expansion.