Question:
Website text box, only accept certain words?
Andrew Smith
2013-10-16 01:56:40 UTC
Hi,

I am trying to create a text box on my website but this only accepts certain words, such as ls / cd. And commands like chmod 777 are disregarded.

Is there a way of making this to work?

Also I want to connect this to a hidden shell, how can I do this?

Thank You
Three answers:
tumbleweed_biff
2013-10-16 02:22:16 UTC
All you need to do is perform normal input validation, except that you have to define the list of things that are valid. Normally, you would validate based upon something like is it alpha or numeric. In this case, you will perform a string comparison against your list of valid inputs. Assuming you don't care about case sensitivity, simply convert the string input to upper or lower case and then compare to your list.



I don't know about hidden shell ...
2013-10-16 23:28:20 UTC
A few points

1. This will add a huge security hole to your server. It sounds like a really bad idea to me.

2. DO NOT USE ONLY JavaScript FOR VALIDATION. JavaScript runs on the client system so any validation using JavaScript can be easily bypassed. You really need to validate on the back end aswell with whatever language you use to code the page be it php python etc.

3. If you don't know how to validate yourself you should not be trying something this risky. For example if you where to validate by checking if the string started with a good command like chmod all someone would have to do is run the command



chmod 777 && rm -rf *



and you server would be dead. Even if its in a password protected section of the site it's still a big risk to take
?
2013-10-16 10:06:56 UTC
You can use regular expressions to match the input against a list of allowed commands.



For instance:

var p = /cd\s+.+/i;

if (input.match(p)) ...



This will do a case insensitive match, allowing any string that starts with "cd", then has at least one space, then at least one character.

You'd put all allowed commands into an array, and iterate through it. If the command matches nothing, disregard it.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...