RE: Can System() of Perl be bypassed?

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Wed Jan 22 2003 - 13:30:17 PST

  • Next message: Brian Hatch: "Re: Can System() of Perl be bypassed?"

    Use the multiple-argument version of the system call, and ensure that the
    program you're calling won't misbehave if weird input is provided:
    
    system("/path/some-command", $user_data);
    
    Passing $user_data and the command name in a single string (the
    single-argument form of system()) causes the shell to parse and interpret
    the data, which means shell metacharacters in the user's data will be
    interpreted.
    
    Read through perlsec for this and other gotchas.  Taint mode in Perl will
    help you avoid them, but don't rely exclusively on it.  It will catch some
    stupid mistakes, but it isn't a cure for not knowing what you're doing.
    
    Good luck,
    
    David
    
    -----Original Message-----
    From: Sandeep Giri [mailto:sandeepgiriat_private]
    Sent: Wednesday, 22 January, 2003 01:03
    To: secprogat_private
    Subject: Can System() of Perl be bypassed?
    
    
    
    
    Hi All,
    In my PERL code,I am using user's input as command line argument for the 
    program being executed by System().
    Can user run command of his choice by giving malicious input?
    Is PERL's -T (Taint mode) the solution for this?
    
    Thanks.
    
    Sandeep Giri
    



    This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 14:27:12 PST