Every point in the article is obvious. As a script kiddie pasting stuff from the internet (including stuff from the victim's website) back in the day, I was acutely aware of the fact that you can't paste something and hit enter anywhere ever (unless you strip out ', but even that isn't very reassuring given that the shell probably has undocumented edge cases as well as other problems at other layers such as the terminal [1]).
Anyway, shells are dumb and dangerous. A real interactive language should simply have a text box for text. I guess I could write a usual 10 paragraph rant on this but it really is that simple.
the thing is, it gets executed when enclosed in single quote too. that's what worried me. as i had been quoting urls within single quotes in shell commands and had been feeling relatively safe -- till now.
i noticed the single quote. know how it gets escaped from the quote. the point is : we that work on command line use single quote to enclose urls as parameter to curl/wget. and that's not safe if you don't char-by-char escape the url.
No it is not. The single quote example is wrong because the evaluation part $(...) is unquoted.
Take a closer look. The first single quote part ends after the first semicolon right before the $(
It's not wrong, it's just demonstrating that slapping single quotes around a string is not sufficient to make it safe. You need to escape the string properly. Guess how many people do that.
Writing '...' switches from "writing shell code" to "writing a single-quoted string". It does not switch to "writing arbitrary text" (since that would give us no way to end the string!). You should always convert arbitrary text to "single-quoted string" format: most of the time it will stay the same, e.g. "google.com"; sometimes it needs escaping to prevent benign corruption, e.g. "I'm a little teapot"; in this case it needs escaping to prevent malicious code injection.
