[mythtv-users] User jobs - bash way to handle spaces in title ?
bjett80 at gmail.com
Mon Jun 26 20:46:15 UTC 2006
On 6/26/06, Peter Watkins <peterw at tux.org> wrote:
> Jerry Bett wrote:
> > This may be more of a bash question than a myth question ... if so,
> > forgive me.
> > I have a user job that encodes shows for my Palm TX ... run as :
> > palmencode $FILE% "$TITLE%" "%SUBTITLE%"
> > 'palmencode' is a bash script inputing the command line as $1, $2 and
> > How can one get the full title with spaces and other special characters
> Eek. When you find a decent fix for this, update
> This looks like a likely security problem; what happens if someone at
> the organization providing your listings decides to publish a subtitle
> x;#";#';touch /tmp/coulda-done-anything
> Would Myth then cause "touch /tmp/coulda-done-anything" to run? Does
> Myth have anything like Wietse Venema's safe_finger character scrubber?
> I think the best approach with the current features would be to only
> pass a variable that should only have safe chars like %FILE% to some
> wrapper script. The wrapper script would get the other details from
> MySQL, and would scrub each variable extracted from MySQL before calling
> palmencode. It's technically possible to safely call palmencode with
> arbitrary data, e.g. in Perl, you can pass multiple args to an app with
> system() by passing multiple arguments to system() like
> system("/path/to/palmencode",$file,$title,$subtitle) should lead to
> palmencode properly reading the input -- but I would not assume that
> palmencode and the apps it calls can handle arbitrary strings. All too
> often, Unix/Linux scripts and apps expect to be passed "safe" args.
> Another approach would be to make a wrapper script and call it with a
> user job like
> palmencode_wrapper FILE____%FILE% TITLE____%TITLE% SUBTITLE____
> Have palmencode_wrapper build a single string out of all the arguments,
> use the odd ____ prefixes to extract the variables, change whitespace to
> something like "_", scrub them of any characters not known to be OK
> (regexp [^0-9a-zA-Z\.\_\-] ?), and then pass those sanitized args to
> palmencode. This approach should work for most innocent title/subtitle
> values, but it sounds like Myth is letting some shell expansion take
> place, so this wouldn't be a bulletproof workaround.
> I don't think you should have to go to that trouble though. IMO, Myth
> should use a "positive"/"white list" filter (allow known good; discard
> other) for those variables (and document the whitelist, so users know
> whether to expect whitespace, for instance). If it doesn't, and my
> 'touch' suggestion really would make that test file, then it's a
> security flaw.
> Myth shouldn't bother trying to escape chars with "/", etc. Any app that
> really needs the raw strings should check with the database.
Looks like the problem was self-induced.
I added additional logging to my script, specifically "echo $@ >> $LOG" and
did not see any quotes around the TITLE/SUBTITLE values.
Checking mythtv-setup again I found the quotes missing ...instead of
only had $TITLE. I know I added them ... no idea why they were missing.
Anyway ... looks like it's working now.
As far as security, the $TITLE & $SUBTITLE is used as the filename of the
palm file, ie $OUTFILE=$TITLE"-"$SUBTITLE".avi" .
The final command for the script is cp TEMPFILE $OUTFILE . I'm curious
to whether a malicious $TITLE could be used and will check it out.
Thanks for the info !
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the mythtv-users