Philip continues to play devil’s advocate / script kiddie for my telnet URL handler. My input checker allowed host/port definitions to begin with a hyphen character. That’s an invalid domain name, so I ignored the possibility that someone might try it. Philip used it to pass a switch to the telnet/ssh command.
Here is attempt number 3, now with more complicated regular expressions:
#!/usr/bin/perl
# parse URL
($protocol,$host) = split /:\/\//, $ARGV[0];
($host,$port) = split /:/, $host;
# validate input
if ( $protocol !~ /^(telnet|ssh)$/ ||
$host !~ /^[a-zA-Z0-9][a-zA-Z0-9.-]*$/ ||
$port !~ /(^[a-zA-Z0-9][a-zA-Z0-9_-]*$|^$)/ ) {
warn "Invalid URL";
exit 1;
}
# if SSH, add -p argument
if ( $protocol eq "ssh" && $port != '' ) { $port = "-p $port" ; }
# call terminal emulator
exec("konsole --hold -e $protocol $host $port");
exit;
Your move, sir.
You can download an updated url-terminal script here. You can read the post that started this here.
-
Its not entirely clear to me what your use case here is, but when you’re execing with elevated privileges you normally want to specify your binaries by a full path, otherwise I can put a ‘konsole’ script in my path ahead of the real binary. Same with ssh and telnet.
Looks good!
-
My intention is to protect against mal-formed URLs. If the user has a local script named konsole, ssh, or telnet, that’s his own problem. :)
-
-
Ah, fair enough. I should check older posts before I speak. :)
-
I’m officially declaring the script bug-free, and waiting to be proved wrong ;)
-
That endorsement is totally going in the source code. It’s all your fault now!
-
And seriously, thanks for the help. I learned some things.
-
6 comments
Comments feed for this article
Trackback link: http://www.tolaris.com/2010/08/27/telnet-url-handler-part-3/trackback/