From: Alexandre Ferrieux on
On Nov 30, 4:22 pm, Fredrik Karlsson <dargo...(a)gmail.com> wrote:
>
> Just my paranoia, maybe, but keeping user input away from parsing as
> much as possible seems safer to me. If I am wrong, please tell me.

Do you realize that

"feeding uncontrolled user input or not"

and

"doing the job in C or Tcl"

are completely orthogonal ?

-Alex
From: Gerald W. Lester on
Fredrik Karlsson wrote:
> On 28 Nov, 17:36, "Gerald W. Lester" <Gerald.Les...(a)cox.net> wrote:
>> The Tcl to eval would be:
>> set directories [lsort -unique $directories]
>
> Hi,
>
> Yes, to be honest, I had forgot about Tcl_Eval().. though, I do admit
> that I maybe would have not wanted to use it anyway. What happens if
> the user input is
> "Some file {which I will explain "later' `with" (qoutes removed) or
> something really nasty. I am really insecure when it comes to
> protecting strings in a fool-proof way. I am sure that {} protecting
> it solves lots of issues, but maybe strings that are not meant to be
> evaluated as part of a Tcl script should be kept from being possibly
> evaluated as part of a script as much as possible?
>
> Just my paranoia, maybe, but keeping user input away from parsing as
> much as possible seems safer to me. If I am wrong, please tell me.

Take a look at your C code, you built up directories by using the list
functions, thus Tcl will put in the proper quoting.

The same would be true if you had built in in Tcl using lappend.

--
+------------------------------------------------------------------------+
| Gerald W. Lester |
|"The man who fights for his ideals is the man who is alive." - Cervantes|
+------------------------------------------------------------------------+