-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At some point hitherto, Derek D. Martin hath spake thusly:
> > lot  of  them,  just surrounding the arg in double quote ("$argv[2]")
> > will protect the spaces and pass the string to  the  program  as  one
> > argument.   Interpreters  like  perl and tcl also have simple ways of
> > handling this problem.
> 
> This isn't really all that helpful...  What's going on here is the scp

Oops!  I forgot to actually mention why it wasn't helpful.  

You don't WANT all one argument in this case...  You want to call one
of the execv() or execl() functions to launch the relevant command
(scp or sftpd-server).  Whichever you choose, you need to have the
arguments to those commands each broken out into their own string, as
that's the way the exec family of functions works.

[On some systems, these may be system calls.  On Linux, only execve()
is a system call, and the other exec functions are just wrappers
around it.]

You could get around this problem by using the system() function,
which does allow for a single string that represents the command line.
However, the way system works is by exec'ing a shell, which again
allows the user to manipulate their environment.  So in general, when
security is an issue (as it is with restricted shells), you should
avoid the system() function.


- -- 
Derek Martin               ddm@pizzashack.org    
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9TYTwdjdlQoHP510RAtKIAJ9FY8NGKL4jLrM4sjmbnLERpsguLACffYfI
mDiPFPgDkOdZFO6kPU+S70o=
=DeBu
-----END PGP SIGNATURE-----