> Anyway, this is fixable if you can figure out just the right combination
> of quotes and backslashes to actually get double quotes into the file:
>
> continue = ${run{SHELL -c 'echo \\\"$sender_host_address\\\"
> >>$spool_directory/blocked_relay_ips; \
>
> (and FWIW, the BlockCracking page above makes exactly the same mistake
> in the code to resist brute-forcing of SMTP AUTH credentials)
>
> My question: is there a better way to add entries to a file like this?
> It would be very helpful if there was something that could add keys and
> values to such a file, take care of the escaping for you, and avoid any
> risks from including potentially user-supplied data in a command line.
The best way to avoid quoting risks with user-supplied data and command
lines is to never use '${run{SHELL -c ....}}'. Any time you initially
need to do this, turn the shell invocation into a shell script (or a
Perl script or etc) that takes just the arguments you are supplying and
assemblest them securely inside itself. You really, really do not want
to get into the business of trying to safely quote shell command line
arguments.
- cks
