[c-nsp] Looking-glass software?

Saku Ytti saku at ytti.fi
Thu May 18 12:21:58 EDT 2017


On 18 May 2017 at 19:14, R. Scott Evans <cisco-nsp at seidata.com> wrote:
> For internal use, why trouble oneself with the maintenance, excessive
> libraries, modules and crud that another "installed" option would require if
> you don't need all its features.  As far as injecting anything unwanted,
> that is the point of only showing a snippet... security is left to the
> OP/programmer.

No one should ever encourage use of system() or backticks. It's pretty
much 0 cost to do it the right way via say popen.

To keep things in topic, I'm glad Cisco has not learned this lesson,
in 3850/3650 when they released, I wanted to look into the linux
shell, but it was guarded by PKI. Luckily the verification was
system(/some/script/to/check/it <userinput>/) and checking the return
value. So give poop||true, and you got to the linux shell.
Your code has same issue, as every code which does the extremely naive
mistake of calling external binaries via shall expansion, when there
is almost as simple solution where user input sanity is irrelevant.

-- 
  ++ytti


More information about the cisco-nsp mailing list