[gull] Trucs et divers propos
Félix Hauri
felix at f-hauri.ch
Wed Apr 2 11:31:11 CEST 2025
Avoid SQL injection!
$ sed -e '2{/^case/!i case ${1#+} in *[^0-9]*|\o47\o47) exit 1;;esac' \
-e\} -i.bak /usr/share/asterisk/agi-bin/ntfy.sh
$ diff /usr/share/asterisk/agi-bin/ntfy.sh{.bak,}
1a2
> case ${1#+} in *[^0-9]*|'') exit 1;;esac
Le Wed, Apr 02, 2025 at 11:01:01AM +0200, Félix Hauri via gull a écrit :
> root at asterisk# cat >/usr/share/asterisk/agi-bin/ntfy.sh <<eof
> #!/bin/bash
> ntfyUrl=https://ntfyServ.exemple.com
> ntfyTopic=mesnotif
> ntfyToken=tk_dux12ceci3st7otalement6idon34
> IFS=\| read -r nom < <(
> printf -v req 'SELECT name FROM tel WHERE nr ~ \47%s\47;' "${1:2}"
> psql -h pgDbHost -U asterisk -Atc "$req" files )
> printf -v msg '\U260e\Ufe0f Appel de %s\n %s\n %s' "$*" "$nom"
> curl -u ":$ntfyToken" -d "$msg" "$ntfyUrl/$ntfyTopic" >/dev/null 2>&1 <<<'' &
> exit 0
> eof
--
Félix Hauri - <felix at f-hauri.ch> - http://www.f-hauri.ch
More information about the gull
mailing list