[ninkendo]

There's simple ways to "escape" user input (as in, ensure the whole input string is interpreted as a single argument to this program) in ways that ensure you can't do simple &&'s or ;'s and execute a totally different command. But the point of the article is even if it's properly escaped, users can still do malicious things when input is passed to lots of standard UNIX utilities.

[__david__]

With the GNU tools you can generally use the `--` option to signal that no more options. That combined with quotes is usually enough:

    tar c -- "$directory_to_tar"

[Gibbon1]

What I wish, I wish there was a flag in unicode to declare characters as 'unsafe user input' so that system utilizes and databases can recognize unsafe user input and barf on it.

[jacquesm]

It would be a very rare case where a vulnerability related to in-band signalling can be fixed with more in-band signalling.

[Gibbon1]

You can if your encoding is explicit about what's in band and out of band. I get the feeling you've never written a protocol ever.

[jacquesm]

I don't think you even understand the concept of in-band and out-of-band, that's not a function of the encoding. And I've written protocols aplenty in the days when not everything ran on top of HTTP, high speed serial links, with and without virtual circuits (so mux-demux) and a whole slew of others.

Just to make sure you are on the same page as the rest of us here: in-band and out-of-band is a way to distinguish sending meta information about the data stream through the same channel as the original data. You need an escape mechanism for that, so control characters and such.

Out-of-band signalling indicates that all meta information about the data stream travels through a different (virtual) circuit, in which case there can never be confusion about whether a given chunk is data or meta info.

[Gibbon1]

I now understand that your point here is to be insulting.