Re: Can System() of Perl be bypassed?

From: Glynn Clements (glynn.clementsat_private)
Date: Wed Jan 22 2003 - 14:37:14 PST

  • Next message: Dana Epp: "Re: Can System() of Perl be bypassed?"

    Sandeep Giri wrote:
    
    > In my PERL code,I am using user's input as command line argument for the 
    > program being executed by System().
    > Can user run command of his choice by giving malicious input?
    
    It depends upon how it is called. The entry for "system" in the
    perlfunc(1) manpage says:
    
        Note
        that argument processing varies depending on the
        number of arguments.  If there is more than one
        argument in LIST, or if LIST is an array with more
        than one value, starts the program given by the
        first element of the list with arguments given by
        the rest of the list.  If there is only one scalar
        argument, the argument is checked for shell
        metacharacters, and if there are any, the entire
        argument is passed to the system's command shell
        for parsing (this is /bin/sh -c on Unix platforms,
        but varies on other platforms).  If there are no
        shell metacharacters in the argument, it is split
        into words and passed directly to execvp(), which
        is more efficient.
    
    So, if there's a single scalar argument (i.e. you generate a single
    string by concatenating the user's input with some other data), then
    yes, the user can execute arbitrary commands.
    
    > Is PERL's -T (Taint mode) the solution for this?
    
    The obvious solution is to either use multiple arguments or an array
    with more than one element, so that the shell isn't used.
    
    There may be advantages to using taint mode as well, but that's a
    separate issue.
    
    -- 
    Glynn Clements <glynn.clementsat_private>
    



    This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 15:20:38 PST