Never trust user input. Assume it is malicious input unless you find otherwise. Perl is an awesome language for regex checking. It is very possible to misuse the system() command in Perl if you are just shoving user arguments directly to the system() call. Consider determining what exactly the arguments are supposed to look like, and validate it as it comes from the untrusted boundry (the argument itself) into the trusted boundry where you are about to use it (your code). As an example, if the Perl script is expecting an integer value (maybe a port number for instance) validate that its actually an integer value between two particular numbers. The same would go for any other argument you are looking for. To learn more on what taint mode is actually good for, check out: http://gunther.web66.com/FAQS/taintmode.html A combination of user input validation with taint may work for you, but taint alone should not be considered enough. Remember all taint does is sets the perl interprator into a paranoid mode and expects everything to be bad (a good thing (tm) ). However, you still need to validate the data itself. --- Regards, Dana M. Epp ----- Original Message ----- From: "Sandeep Giri" <sandeepgiriat_private> To: <secprogat_private> Sent: Tuesday, January 21, 2003 11:03 PM Subject: Can System() of Perl be bypassed? > > > Hi All, > In my PERL code,I am using user's input as command line argument for the > program being executed by System(). > Can user run command of his choice by giving malicious input? > Is PERL's -T (Taint mode) the solution for this? > > Thanks. > > Sandeep Giri >
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 16:03:01 PST