Skip to main content.
home | support | download

Back to List Archive

Re: * : < > in search field cause crash

From: Ron Samuel Klatchko <rsk(at)>
Date: Tue Apr 11 2000 - 21:54:17 GMT
Alex Williams wrote:
> The following symbols (only) cause swish-e server error when entered
> into the search field:
> * : < >
> Swish-e documentation says, for example, the (*) symbol is used to
> truncate a word.
> typing escape (/) beforehand doesn't work either.

How exactly are you invoking SWISH-E?  My guess is that you are doing it
with some sort of front end CGI script which invokes SWISH-E via
system().  System invokes the Bourne shell which processes the command
line.  Those characters caused the shell to attempt to do certain things
to the command line which are not what you want done.

So not only is that causing an error, but it is also most likely opening
up a security hole.  Try entering the following to as your search
   whatever; /usr/bin/mail youremail < /etc/passwd; echo

You need to cleanse your output before sending it through the shell. 
There are a couple of theories on how best to do it.  My personal one is
based on the fact that single quotes (') turn off all shell
meta-character interpretation.  First, change all single ticks to
single-quote, back-slash, single-quote, single-quote ('\'') and then
surround the entire user input sequence with single quotes.  So, the
user input string:
  Ron's idea

gets converted into:
  'Ron'\''s idea'

which gets handled by the shell as three sequences:
  's idea'

Each of these sequences get processed independently.  The single-quote
sequences have the surrounding quotes removed and no further processing
done while the escaped single-quote goes in literally.
  s idea

which is then put together giving us our original:
  Ron's idea

The nice thing about this is that the user can type in anything they
want, have all the characters sent to SWISH-E and have no danger of them
tricking the shell into doing anything.

        Ron Samuel Klatchko - Senior Software Jester
            Brightmail Inc -
Received on Tue Apr 11 17:55:37 2000