Re: Can System() of Perl be bypassed?

From: Ilya Martynov (ilyaat_private)
Date: Wed Jan 22 2003 - 14:09:56 PST

  • Next message: Glynn Clements: "Re: Can System() of Perl be bypassed?"

    >>>>> On 22 Jan 2003 07:03:27 -0000, Sandeep Giri <sandeepgiriat_private> said:
    
    SG> Hi All,
    SG> In my PERL code,I am using user's input as command line argument for the 
    SG> program being executed by System().
    
    It depends. Perl's system() may be given a single string as its
    argumens or a list. In the first case it will pass this string to the
    shell which will try to interpret it. For example
    
        system("cat $file");
    
    This is dangerous as $file can contain something that will interpreted
    by shell as an additional commands. For example $file might containt
    something destructive as '; rm -rf /'.
    
    If you specify a list than system() doesn't use shell and it's usage
    is much safer:
    
        system('cat', $file);
    
    This will try to only print file specified by $file variable no matter
    what $file contains.
    
    It is actually is covered in Perl documentation. See 'perldoc -f
    system'.
    
    Still if you let arbitrary user input as an argument to some program
    you must be sure that this program will be able to handle it in safe
    manner. Personally I would ensure that user imput is clean and is
    something that the program expect before passing it to the program. It
    is just safer.
    
    SG> Can user run command of his choice by giving malicious input?
    SG> Is PERL's -T (Taint mode) the solution for this?
    
    Yes and no. Taint mode helps you to catch bugs when you pass arbitrary
    user input to system() by accident. Perl simply refuses to use tainted
    vars as arguments for system(). But if you willingly untaint it
    without actually verifing and removing bad dangerous data and then
    pass it to system() then Perl cannot help you. You are on your own
    here.
    
    You might want to read 'perldoc perlsec' to learn more about taint
    mode.
    
    -- 
    Ilya Martynov,  ilyaat_private
    CTO IPonWEB (UK) Ltd
    Quality Perl Programming and Unix Support
    UK managed @ offshore prices - http://www.iponweb.net
    Personal website - http://martynov.org
    



    This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 14:31:11 PST