[augeas-devel] escaping special characters in the path sent to aug_get()
Richard W.M. Jones
rjones at redhat.com
Wed Dec 10 13:21:43 UTC 2014
On Wed, Dec 10, 2014 at 12:38:55PM +0000, Dominic Cleal wrote:
> Here's another idea:
>
> get /files/sys/class/net/*[label()='em1']/address/content
>
> Instead of putting the unsanitised content directly into the path, you
> put it into the quoted string, which significantly reduces the amount of
> escaping required.
>
> To escape safely in that string, you'd double any slashes (as there are
> some escape codes) and remove any single quotes (it appears to me that
> escaping quotes doesn't work).
>
> I agree about the direction of an aug_defconst or aug_escape though, the
> API should be able to help more with unsanitised data.
I'm having a hard time making variables work at all.
For example, is the second set of commands below supposed to work?
augtool> get /files/etc/passwd/*[label()='root']/uid
/files/etc/passwd/*[label()='root']/uid = 0
augtool> defvar username root
augtool> get /files/etc/passwd/*[label()=$username]/uid
/files/etc/passwd/*[label()=$username]/uid (o)
augtool> get /files/etc/passwd/*[label()='$username']/uid
/files/etc/passwd/*[label()='$username']/uid (o)
augtool> get /files/etc/passwd/*[label()=username]/uid
/files/etc/passwd/*[label()=username]/uid (o)
_If_ that worked, then implementing aug_defconst would allow us to
sanitize user input quite cleanly.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
More information about the augeas-devel
mailing list