I was playing around with the erlang shell today and noticed that I could do command injections, something like the following:
我今天正在玩erlang shell并注意到我可以进行命令注射,如下所示:
io:get_chars("Cmd> ", 3).
Cmd> Dud List=[3,4,5]. io:get_line("I just took over your shell!").
Is there a way to sanitize the get_chars function's input so this isn't possible?
有没有办法清理get_chars函数的输入,所以这是不可能的?
1 个解决方案
#1
you aren't really doing command injections. io:get_chars("Cmd> ", 3). simply does it's job: read 3 characters from the input stream. everything entered after these is processed by the erlang shell as part of the normal read-eval-print loop.
你并没有真正做命令注射。 io:get_chars(“Cmd>”,3)。简单地完成它的工作:从输入流中读取3个字符。在这些之后输入的所有内容都由erlang shell作为普通read-eval-print循环的一部分进行处理。
#1
you aren't really doing command injections. io:get_chars("Cmd> ", 3). simply does it's job: read 3 characters from the input stream. everything entered after these is processed by the erlang shell as part of the normal read-eval-print loop.
你并没有真正做命令注射。 io:get_chars(“Cmd>”,3)。简单地完成它的工作:从输入流中读取3个字符。在这些之后输入的所有内容都由erlang shell作为普通read-eval-print循环的一部分进行处理。