Comment 38 for bug 1520691
Revision history for this message
| Kenneth Loafman (kenneth-loafman) wrote | #38 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I think you are flogging a dead horse. As far as I can tell, it's not possible to detect intentional shell injection, and still allow all the chars in the filename that Linux does. You have some clever examples, but what's lacking is any suggestion on how to spot shell injections.
The lftp example is good, but that's in lftp itself. Since duplicity requires a path and a url, the commandline would be invalid.