[GRASS-user] grass env

Hamish hamish_b at yahoo.com
Tue Mar 2 22:10:24 EST 2010

... and if *any* user editable inputs will be visible from the web side of
the app make 100% sure that you have bounds checked and sanitized every
single one of them. Stripping all punctuation and limiting the string length
before passing as a module option is a good first step.

I've no idea about java but with unix power tools pipe it through
  `cut -b 255 | sed -e 's/[^a-zA-Z0-9_]//g'`

to only keep the first 255 chars, and only keep a-z, A-Z, 0-9, and the
underscore "_".

there are chances for buffer overflows and unquoted shell script variables
all over the place.



More information about the grass-user mailing list