[ISTR a discussion of this very topic on SECPROG, or perhaps one of the other SecurityFocus mailing lists, only a few weeks ago. Have you checked the archives? It might have been Usenet; you could do a search against comp.unix.programming.] My suggestion: write a version of popen that doesn't use the shell. If you have the source for your OS' C library, use that as a template; if not, grab the GCC implementation if the license terms aren't prohibitive for your application. Or adapt the one in Stevens' _Advanced Programming in the Unix Environment_. Or you could write your own from scratch, but while it's conceptually simple there are various pitfalls, and it helps to have an existing implementation to point them out. Michael Wojcik michael.wojcikat_private MERANT Department of English, Miami University > -----Original Message----- > From: Aaron Bentley [mailto:abentleyat_private] > Sent: Tuesday, June 19, 2001 9:04 AM > I'm writing a CGI program in C++ that sends email. I'm using Sendmail > for the transmission, so I need a command that lets me > specify stdin for Sendmail. > I understand popen() is not very secure, because it uses the shell to > execute the command, but I don't know of a safe alternative. I can > sanitize my input, but is escaping all non-alphanumeric characters the > right answer? > > The program is not privileged, but I don't want people to be able to > gain privileges as 'nobody' on the web server. > > Any suggestions for this ?
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:58:21 PDT