0

So I have a string I want to exec, a curl string... when it gets exec'd it is butchering my user-agent string...

Here is the string I am exec'ing...

/usr/bin/curl  -L --no-keepalive --max-time 30 --connect-timeout 30 --insecure --max-redirs 10 --stderr /var/folders/+j/+jqu+V1eEoSalBbXTff74U+++TI/-Tmp-/output7756019899402490058.tmp --cookie-jar /var/folders/+j/+jqu+V1eEoSalBbXTff74U+++TI/-Tmp-/cookies4551380191209065239.tmp --user-agent "1 2 3 4 5" --dump-header /var/folders/+j/+jqu+V1eEoSalBbXTff74U+++TI/-Tmp-/headers159122813500476027.tmp http://test.com

Here is the code I use to exec it

Process pr = null;
Runtime run = Runtime.getRuntime();
try {
    pr = run.exec(cmdline.split(" "));

    A ret = f.f(pr);

    pr.waitFor();

    return ret;
} catch (Exception ex) {
    throw new RuntimeException("Executing " + cmdline, ex);
} finally {
    try {
        // close all those bloody streams
        pr.getErrorStream().close();
        pr.getInputStream().close();
        pr.getOutputStream().close();
    } catch (IOException ex) {
        Log.get().exception(Log.Level.Error, "Closing stream: ", ex);
    }
}

Here is the apache logs with the user-agent messed up...

192.168.1.105 - - [07/Feb/2012:20:59:38 -0500] "GET / HTTP/1.1" 200 6791 "-" "\"1"

The expected result in apache should show the FULL user agent (in this case 1 2 3 4 5)

192.168.1.105 - - [07/Feb/2012:20:59:38 -0500] "GET / HTTP/1.1" 200 6791 "-" "1 2 3 4 5"
ariefbayu
  • 21,849
  • 12
  • 71
  • 92
Kladskull
  • 10,332
  • 20
  • 69
  • 111

2 Answers2

3

You're splitting on spaces, and "1 2 3 4 5" has spaces in it.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • the reason I split on spaces, it so that it 'escapes' the output so no crazy stuff can get executed... i.e: www.test.com && rm -rf * – Kladskull Feb 08 '12 at 02:11
  • @MikeCurry Okay. But that's why you're getting what you're getting, and the output confirms it. – Dave Newton Feb 08 '12 at 02:12
  • Got this info from: http://stackoverflow.com/questions/5928225/how-to-make-pipes-work-with-runtime-exec – Kladskull Feb 08 '12 at 02:13
  • @MikeCurry Okay. But you're splitting on spaces, and "1 2 3 4 5" has spaces in it. You can't put a single parameter into multiple array positions and expect it to work. – Dave Newton Feb 08 '12 at 02:14
  • hmm, show should I ensure that no damaging characters get executed on something like this? (i.e * \ / & ~ ) etc – Kladskull Feb 08 '12 at 02:14
  • @MikeCurry Strip them out (and hope none of the commands need one of those characters)? Use a command-line parsing library? Write your own parser? Or just don't allow execution of arbitrary strings, which to me seems the most sensible--not sure why you're trying to do what you're doing, so it's really difficult to provide meaningful advice. If your primary goal is to get a website, just take a URL. If you're trying to crawl, use a Java-based crawler. Dunno. – Dave Newton Feb 08 '12 at 02:17
0

I recommend passing it in delimited differently. I would use semicolon (;) or any non-volatile delimiter. and split the string that way. The thing to remember here is you do not care about what gets passed into your program only what you are willing to execute. Therefore your cmdLine variable should look like this:

--user-agent; "1 2 3 4 5"; --dump-header;

use String.trim() as necessary.

Woot4Moo
  • 23,987
  • 16
  • 94
  • 151
  • How would I escape special characters (i.e: & | * ;) I want to be able to allow those characters in the user agent, but not to be interpreted. – Kladskull Feb 08 '12 at 02:23
  • Can you give me an example? It sounds more like you want to use a filter in this scenario. I may be misunderstanding the problem, but you are essentially receiving a string and you need to avoid malicious input correct? – Woot4Moo Feb 09 '12 at 01:37