SANITIZE.EXE - Sanitize user input and prevent code injection

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
SirJosh3917
Posts: 35
Joined: 02 May 2016 18:59

SANITIZE.EXE - Sanitize user input and prevent code injection

#1 Post by SirJosh3917 » 30 Nov 2016 09:44

So we all know that just about any batch file can become hacked by typing in "&call LeetBatchFileToGiveMeAllTheHackingPower.bat" whenever it prompts you with input.

SANITIZE.EXE fixes this, by doing the following:
1) getting the user input
2) removing all instances of "&" and "%"
3) storing it in a file

Then after that, you can just read the first line from the file and see what you get.

========================
DOWNLOAD IT:
sanitize.zip
SANITIZE.EXE download & demo
(71.81 KiB) Downloaded 83 times


========================
SOURCE CODE:
source.zip
Source code of sanitize.
(52.63 KiB) Downloaded 85 times

Aacini
Expert
Posts: 1611
Joined: 06 Dec 2011 22:15
Location: México City, México

Re: SANITIZE.EXE - Sanitize user input and prevent code injection

#2 Post by Aacini » 30 Nov 2016 10:10

I am afraid I don't understand the purpose of this program. If the idea is to avoid the problems that may happen when the user input is expanded via %standard% expansion, just use !delayed! expansion instead...

Antonio

SirJosh3917
Posts: 35
Joined: 02 May 2016 18:59

Re: SANITIZE.EXE - Sanitize user input and prevent code injection

#3 Post by SirJosh3917 » 30 Nov 2016 10:49

Aacini wrote:I am afraid I don't understand the purpose of this program. If the idea is to avoid the problems that may happen when the user input is expanded via %standard% expansion, just use !delayed! expansion instead...

Antonio


Oh...
My bad...

I mean I guess it has some use when not using setlocal enabledelayedexpansion but...
oh well.

Post Reply