[abcde] Nasty shell evaluation

[Colin Stephen <cjs@eudimonia.org.uk>]

Hi Robert,

I was encoding the following CD, and saw something alarming in the output.

The initial lookup found:

One inexact match:
classical 560f5a06 Bruch and Brahms / Violin Concertos (Nishizako), ***
#1: ---- classical 560f5a06 Bruch and Brahms / Violin Concertos (Nishizako),
*** ----
1: Bruch's VC1 in G minor, Op.26: I. Prelude. Allegro moderato
2: II. Adagio
3: III. Finale. Allegro energico
4: Brahms' VC in D major, Op.77: I. Allegro non troppo- Cadenza-
5: II. Adagio
6: III. Allegro giocoso, ma non troppo vivace- Poco piu presto


Notice the '***' trailing the title, presumably this is from the CD
database. Alarmingly, the comments attached to the resulting Ogg Vorbis files
included a listing of the current directory.

Your shell expansion escaping looks plausible, but allowing any shell
expansion of supplied data makes me nervous. Perhaps there's a cunning
attack by choosing elements of output filenames such that globbing would
insert unescaped shell into the output file. Could you perhaps escape '
and * as well and single quote the output ?
Or replace all that shell with Perl :)

Perhaps I'll get some time later to produce a patch.

Yours,

Colin

-- 
Colin Stephen
PGP/GPG Fingerprint: 66F0 CD0A 9EC6 367F C3B4  7EB0 C76D CFBE 86CF 21E4
"Every good boy deserves fudge"
To unsubscribe: echo unsubscribe | mail abcde-request@whimsica.lly.org