A better telnet URL handler

2010-08-24 21:48 UTC | 4 comments

After I wrote yesterday’s post, Philip reminded me of the dangers of not validating your inputs. Here is a better telnet/ssh handler which checks the URL passed to it.

Update 2010-08-27: don’t use this script either! See my next post for a better one.

#!/usr/bin/perl
# parse URL
($protocol,$host) = split /:\/\//, $ARGV[0];
($host,$port) = split /:/, $host;

# validate input
if ( $protocol !~ /^(telnet|ssh)$/ || $host !~ /^[a-zA-Z0-9.-]+$/ || $port !~ /(^[a-zA-Z0-9_-]+$|^$)/ ) {
        warn "Invalid URL";
        exit 1;
}

# if SSH, add -p argument
if ( $protocol eq "ssh" && $port != '' ) { $port = "-p $port" ; }

# call terminal emulator
exec("konsole --hold -e $protocol $host $port");
exit;

This script only accepts telnet:// and ssh:// URLs, where the host is a valid domain name and the port is a valid port (including text aliases like “smtp” from /etc/services). It passes SSH port arguments correctly and tells Konsole to stay open after the session terminates.

You can download a more advanced form of this script here.

Tags: , ,

  1. Philip’s avatar

    Philip on 2010-08-25 at 18:14 UTC

    I’m treating this as a game, so please don’t take this as anything but playful commentary.

    I think the script you posted still has one vulnerability: if $host is “-ntest”, and $port is “localhost”, the telnet case will overwrite the file “test” in the current directory, often the user’s home directory.

    so I’d check host and port for not starting with a “-”.

    Also, I think “:” is used in IPv6 IPs, which one might reasonably want to ssh to.

    I’d also suggest the reuse of $host is slightly confusing, and would suggest replacing the first instance with $authority (not a lovely term, but that’s what RFC3986 says).

    ($authority also includes the username, which might be good to add to ssh for those of us who didn’t get the entire internet to reserve our user name :) )

    Again, this is merely commentary, not criticism or a demand you fix your script right now. Definitely no offense intended.

    Reply

    1. tyler’s avatar

      tyler on 2010-08-27 at 15:13 UTC

      Oh, it’s game on. :)

      Reply

  2. Sysgone’s avatar

    Sysgone on 2010-11-12 at 13:11 UTC

    problem is when url are as: telnet://host:port/

    its remedium:
    # parse URL
    ($protocol,$host,$port) = ($ARGV[0] =~m|(.*)://([a-zA-Z0-9.-]*):([0-9]*)|);

    Reply

    1. Tyler Wagner’s avatar

      Tyler Wagner on 2010-11-12 at 13:59 UTC

      Thanks for the feedback, but you should see the last post in this series.

      Reply

Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

All content © 2008-2012 Tyler J. Wagner