Swish-e

From: Javier Wilson <jwilson(at)not-real.ibw.com.ni> Date: Tue Sep 12 2000 - 17:29:41 GMT

If you are using perl you can always regex to remove unwanted
characters to accept only letters:

$query =~ tr/A-Za-z //cd;

or to be a bit less strict (letters, numbers, wildercards, etc....
as in the CGI example in the swish-e web page:

$query =~ s/[^a-zA-Z0-9\-\_\*\.\@\(\)\=\"áéíóúÁÉÍÓÚñÑüÜ ]/ /g;

javier wilson

----- Original Message -----
From: "Chris Humphries" <ChrisJMH@vermilion99.freeserve.co.uk>
To: "Multiple recipients of list" <swish-e@sunsite.berkeley.edu>
Sent: Tuesday, September 12, 2000 6:30 AM
Subject: [SWISH-E] re: Unsafe SWISH calls from Perl

> Is the "unsafe" call to SWISH from Perl,
>
> open(SWISH, "$swish -w $query -m $results $search_tags -f $index|");
>
> unsafe on ANY platform?
>
> Are there any obvious ways of checking the values passed to remove
suspicious characters?
>
> Are there legitimate strings that one could search for that would be
interpreted as system commands?
>
> Are PCs susceptible to something like the shell-escape problem that UNIX
has?
>
> Chris Humphries
>