DosTips.com

A Forum all about DOS Batch
https://www.dostips.com/forum/

SANITIZE.EXE - Sanitize user input and prevent code injection

https://www.dostips.com/forum/viewtopic.php?f=3&t=7580

Page 1 of 1

SANITIZE.EXE - Sanitize user input and prevent code injection

Posted: 30 Nov 2016 09:44
by SirJosh3917
So we all know that just about any batch file can become hacked by typing in "&call LeetBatchFileToGiveMeAllTheHackingPower.bat" whenever it prompts you with input.

SANITIZE.EXE fixes this, by doing the following:
1) getting the user input
2) removing all instances of "&" and "%"
3) storing it in a file

Then after that, you can just read the first line from the file and see what you get.

========================
DOWNLOAD IT:
sanitize.zip
SANITIZE.EXE download & demo
(71.81 KiB) Downloaded 464 times


========================
SOURCE CODE:
source.zip
Source code of sanitize.
(52.63 KiB) Downloaded 435 times

Re: SANITIZE.EXE - Sanitize user input and prevent code injection

Posted: 30 Nov 2016 10:10
by Aacini
I am afraid I don't understand the purpose of this program. If the idea is to avoid the problems that may happen when the user input is expanded via %standard% expansion, just use !delayed! expansion instead...

Antonio

Re: SANITIZE.EXE - Sanitize user input and prevent code injection

Posted: 30 Nov 2016 10:49
by SirJosh3917
Aacini wrote:I am afraid I don't understand the purpose of this program. If the idea is to avoid the problems that may happen when the user input is expanded via %standard% expansion, just use !delayed! expansion instead...

Antonio


Oh...
My bad...

I mean I guess it has some use when not using setlocal enabledelayedexpansion but...
oh well.
All times are UTC-06:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/