Sandeep Giri wrote:
> In my PERL code,I am using user's input as command line argument for the
> program being executed by System().
> Can user run command of his choice by giving malicious input?
It depends upon how it is called. The entry for "system" in the
perlfunc(1) manpage says:
Note
that argument processing varies depending on the
number of arguments. If there is more than one
argument in LIST, or if LIST is an array with more
than one value, starts the program given by the
first element of the list with arguments given by
the rest of the list. If there is only one scalar
argument, the argument is checked for shell
metacharacters, and if there are any, the entire
argument is passed to the system's command shell
for parsing (this is /bin/sh -c on Unix platforms,
but varies on other platforms). If there are no
shell metacharacters in the argument, it is split
into words and passed directly to execvp(), which
is more efficient.
So, if there's a single scalar argument (i.e. you generate a single
string by concatenating the user's input with some other data), then
yes, the user can execute arbitrary commands.
> Is PERL's -T (Taint mode) the solution for this?
The obvious solution is to either use multiple arguments or an array
with more than one element, so that the shell isn't used.
There may be advantages to using taint mode as well, but that's a
separate issue.
--
Glynn Clements <glynn.clementsat_private>
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 15:20:38 PST