From 40dfef85677f89681d8690c4f12a3e1591228c60 Mon Sep 17 00:00:00 2001 From: koalaman Date: Fri, 12 Jun 2015 18:01:14 -0700 Subject: [PATCH] Updated SC2156 (markdown) --- SC2156.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SC2156.md b/SC2156.md index efad4e9..483fc37 100644 --- a/SC2156.md +++ b/SC2156.md @@ -12,7 +12,7 @@ In the problematic example, the filename is passed by injecting it into a shell string. Any shell metacharacters in the filename will be interpreted as part of the script, and not as part of the filename. This can break the script and allow arbitrary code execution exploits. -In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. +In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. The `_` is a dummy string that becomes `$0` in the script. ### Exceptions: