[GRASS-user] grass env
Hamish
hamish_b at yahoo.com
Tue Mar 2 22:10:24 EST 2010
... and if *any* user editable inputs will be visible from the web side of
the app make 100% sure that you have bounds checked and sanitized every
single one of them. Stripping all punctuation and limiting the string length
before passing as a module option is a good first step.
I've no idea about java but with unix power tools pipe it through
`cut -b 255 | sed -e 's/[^a-zA-Z0-9_]//g'`
to only keep the first 255 chars, and only keep a-z, A-Z, 0-9, and the
underscore "_".
there are chances for buffer overflows and unquoted shell script variables
all over the place.
Hamish
More information about the grass-user
mailing list