Sandeep Giri wrote: > In my PERL code,I am using user's input as command line argument for the > program being executed by System(). > Can user run command of his choice by giving malicious input? It depends upon how it is called. The entry for "system" in the perlfunc(1) manpage says: Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is /bin/sh -c on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to execvp(), which is more efficient. So, if there's a single scalar argument (i.e. you generate a single string by concatenating the user's input with some other data), then yes, the user can execute arbitrary commands. > Is PERL's -T (Taint mode) the solution for this? The obvious solution is to either use multiple arguments or an array with more than one element, so that the shell isn't used. There may be advantages to using taint mode as well, but that's a separate issue. -- Glynn Clements <glynn.clementsat_private>
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 15:20:38 PST