Done and done.


//Get secret; protects against all characters with ASCII code between
0 and 31 : . \ + * ? [ << ^ > ] ( $ ) #

     $secret = shell_exec('cat
/tmp/oid-shared_secret-'.addcslashes($_GET['openid_assoc_handle'],'\0..\37;.\+*?[<<^>]($)#').'.secret');


Should be good, no?


-Kris


(PS, Damn the reply-to!)


On 2005/06/29, at 9:19 PM, Phil Harnish wrote:


<excerpt><x-tad-smaller>What if they just encode a newline and add a
more malicious shell

command of their own?</x-tad-smaller></excerpt>