>>>>> On 22 Jan 2003 07:03:27 -0000, Sandeep Giri <sandeepgiriat_private> said: SG> Hi All, SG> In my PERL code,I am using user's input as command line argument for the SG> program being executed by System(). It depends. Perl's system() may be given a single string as its argumens or a list. In the first case it will pass this string to the shell which will try to interpret it. For example system("cat $file"); This is dangerous as $file can contain something that will interpreted by shell as an additional commands. For example $file might containt something destructive as '; rm -rf /'. If you specify a list than system() doesn't use shell and it's usage is much safer: system('cat', $file); This will try to only print file specified by $file variable no matter what $file contains. It is actually is covered in Perl documentation. See 'perldoc -f system'. Still if you let arbitrary user input as an argument to some program you must be sure that this program will be able to handle it in safe manner. Personally I would ensure that user imput is clean and is something that the program expect before passing it to the program. It is just safer. SG> Can user run command of his choice by giving malicious input? SG> Is PERL's -T (Taint mode) the solution for this? Yes and no. Taint mode helps you to catch bugs when you pass arbitrary user input to system() by accident. Perl simply refuses to use tainted vars as arguments for system(). But if you willingly untaint it without actually verifing and removing bad dangerous data and then pass it to system() then Perl cannot help you. You are on your own here. You might want to read 'perldoc perlsec' to learn more about taint mode. -- Ilya Martynov, ilyaat_private CTO IPonWEB (UK) Ltd Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net Personal website - http://martynov.org
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 14:31:11 PST