Use the multiple-argument version of the system call, and ensure that the program you're calling won't misbehave if weird input is provided: system("/path/some-command", $user_data); Passing $user_data and the command name in a single string (the single-argument form of system()) causes the shell to parse and interpret the data, which means shell metacharacters in the user's data will be interpreted. Read through perlsec for this and other gotchas. Taint mode in Perl will help you avoid them, but don't rely exclusively on it. It will catch some stupid mistakes, but it isn't a cure for not knowing what you're doing. Good luck, David -----Original Message----- From: Sandeep Giri [mailto:sandeepgiriat_private] Sent: Wednesday, 22 January, 2003 01:03 To: secprogat_private Subject: Can System() of Perl be bypassed? Hi All, In my PERL code,I am using user's input as command line argument for the program being executed by System(). Can user run command of his choice by giving malicious input? Is PERL's -T (Taint mode) the solution for this? Thanks. Sandeep Giri
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 14:27:12 PST