Martin Gregorie  writes:
> Richard Kettlewell wrote:
>> That’s fundamentally the wrong approach. Instead, use an appropriate
>> quoting/escaping scheme. See
>> https://cheatsheetseries.owasp.org/cheatsheets/
> Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>> for many examples.
>
> Interesting stuff, but its all HTML and JS-related - nothing much there I
> can use outside that environment.

You said you were worried about cross-site scripting, which is a web
issue.

> I'm dealing with bog standard e-mails which can have been sent from
> almost any hardware using almost any software and at the immediate point
> of interest, are being passed between by processes written in Python, C
> and bash. My immediate concern is to sanitise sender addresses being
> passed through a bash script, which is the only piece of the puzzle
> written my myself apart, of course, from the sanitiser.

It sounds like you’re worried about code injection attacks on these
boundaries.

Sanitization is the wrong strategy. A perfectly valid email address may
nevertheless contain characters that trip up your downstream
applications in some way, if they have not been hardened to process
untrusted data.

The mitigations for this when the shell is involved are:

* Minimize the portion of your application written in shell[1].
* Use shell quoting syntax properly within the shell scripts that you do
  have.

And when invoking commands (in any context):
* Prefer array-format commands e.g. args=[...] in Python, or execvp
  (etc) in C
* Avoid string-format commands (e.g. args="..." in Python or system &
  popen in C).

[1] Ideally to 0. The same applies to C. Both are terrible language
    choices for security.

--
https://www.greenend.org.uk/rjk/

--- SoupGate-Win32 v1.05