Re: Secure popen

From: John Viega (viegaat_private)
Date: Tue Jun 19 2001 - 14:06:36 PDT

Next message: Aaron Bentley: "Re: Secure popen"

Previous message: Aaron Bentley: "Secure popen"
In reply to: Aaron Bentley: "Secure popen"
Next in thread: Aaron Bentley: "Re: Secure popen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use execv() if possible.

John

On Tue, Jun 19, 2001 at 10:03:56AM -0400, Aaron Bentley wrote:
> I'm writing a CGI program in C++ that sends email.  I'm using Sendmail
> for the transmission, so I need a command that lets me specify stdin for
> Sendmail.
> I understand popen() is not very secure, because it uses the shell to
> execute the command, but I don't know of a safe alternative.  I can
> sanitize my input, but is escaping all non-alphanumeric characters the
> right answer?
> 
> The program is not privileged, but I don't want people to be able to
> gain privileges as 'nobody' on the web server.
> 
> Any suggestions for this ?
> 
> Aaron
> 
> --
> Aaron Bentley
> Manager of Information Technology
> PanoMetrics, Inc.
> 
>

Next message: Aaron Bentley: "Re: Secure popen"
Previous message: Aaron Bentley: "Secure popen"
In reply to: Aaron Bentley: "Secure popen"
Next in thread: Aaron Bentley: "Re: Secure popen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:50:46 PDT