On Tue, 15 Feb 2000, Andrew Danforth wrote: > On Mon, 14 Feb 2000, Bill wrote: > > > Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc > > from doing anything harmful, as well? > > Not really. Consider the following snippet: > > open PASSWD, '< /etc/passwd'; > $var = '&PASSWD'; # also try $var = '&3'; > open IN, "< $var"; > print while (<IN>); > > Perl's open will dup other file descriptors if < is followed by &. This > isn't as potentially problematic as forking commands, but there may be > circumstances where someone could dup a filehandle and cause your script > to behave strangely/output sensitive information/etc. > > Andrew Interesting. And for the curious, this doesn't seem to be noticed by Perl's tainting mechanism, unless I'm misunderstanding something: $ perl -T - '&PW' open(PW, "/etc/passwd") or die "open(): $!\n"; $var = shift; open(FH, "< $var") or die "open(): $!\n"; print <FH>; (hit CTRL D here) root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: ... etc Anyway, this is probably getting off topic... - Bill
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:19 PDT