security of "%" placeholders when executing commands - Re:Can I log winpopup messages ?

Andrew Bartlett abartlet at pcug.org.au
Thu Jan 17 04:28:34 GMT 2002


Martyn Ranyard wrote:
> 
> Not necessarily, for instance, you cannot have a username with a backquote,
> I am not one of the programmers who wrote samba, but if they have a
> "make-safe" procedure, I would imagine they run it on all macros.
> 
> Could one of the samba team comment, and hopefully if it isn't then it
> could be a relatively small patch.

I'm always parinoid about the macros, and rightly so - we have been
bitten badly in the past.  Now the various macros should have anything
not *compleatly* booring stripped out from them, but if you really care,
check the source yourself.  (You will also notice that doing so isn't
trivial either...).

Always use the lastet Samba - as 2.2.1 and 2.2.0a both had fixes in this
area.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list