Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.5: Create an XKCD-influenced Mac 'doorbell'' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Create an XKCD-influenced Mac 'doorbell'
Authored by: soapbeard on Jan 21, '09 08:31:15AM

Be careful with this, that script contains a command injection vulnerability.
You should fix this if you want to make it accessible by the internet.



would get it to run this:

say "hello" ; rm -rf / ; echo ""

Which would say hello, then try and delete all your files. With the right url it could do anything, like use your machine to send spam.

I would suggest changing:

$cmd = sprintf('say "%s"', $_GET['say']);


$cmd = sprintf('say "%s"', preg_replace('/[^\w\d ]/','',$_GET['say']));

which should remove anything other than a letter, digit or space and stop any command injection.

[ Reply to This | # ]
Thanks, skicker; fix added
Authored by: ManasTungare on Jan 21, '09 08:51:52AM

Thanks for highlighting the command injection vulnerability! I added the fix to the blog post.

[ Reply to This | # ]