Open haarg opened 6 years ago
the main reason of this whitelist was a quick & dirty protection for system calls I'm open to better ideas, adding + seems sane
The replacement by '.' allow you to view some results close to your original search, rather than no result at all. Maybe this should be mentioned somewhere in the result when doing so
This clearly need/can be improved
The arguments end up being passed using the list form of exec. There shouldn't be any need for sanitization, unless you want to restrict what regexes can be used.
If that's the case then I agree all these restrictions are more painful than useful, would need to check how&where the string is used.
The patch should be pretty straightforward to disable these restrictions.
The search sanitization seems a bit strange to me. Why is
'
being escaped? Why is\n
being removed? And filtering unexpected characters to.
rather than rejecting the search seems odd. The list of allowed characters is also missing+
.