I've asked a similar question before, but I just really wanted to make sure this is true because it is a security issue. According to this question and the answer given...
http://stackoverflow.com/a/15168405/4045156
...if you use execFile and allow unsanitised user-entered content to be inserted in the args, it is safe. Is that true? In my app the user cannot modify the name of the executable, only one of the args in the args array (they need to provide a fully custom piece of text which they type; there is no way for me to provide it as a list of options).
Note that I'm specifically using execFile.
Is this safe? Thanks for your help.
via Sam
No comments:
Post a Comment