RE: Can System() of Perl be bypassed?

From: Tom Arseneault (TArseneaultat_private)
Date: Wed Jan 22 2003 - 15:10:39 PST

  • Next message: FBO: "Re: Can System() of Perl be bypassed?"

    Taint stops you from using the raw input in the system command (you need to
    touch the data in some way to un-taint it, see the docs for more info) but
    if you miss something when you process his/her input you can still run into
    problems. So while it's a help, proper handling of the data (getting rid of
    shell escape characters or better yet create a char class of good characters
    and only allow them thru to the system command) is the way to go.
    
    Tom
    
    -----Original Message-----
    From: Sandeep Giri [mailto:sandeepgiriat_private]
    Sent: Tuesday, January 21, 2003 11:03 PM
    To: secprogat_private
    Subject: Can System() of Perl be bypassed?
    
    
    
    
    Hi All,
    In my PERL code,I am using user's input as command line argument for the 
    program being executed by System().
    Can user run command of his choice by giving malicious input?
    Is PERL's -T (Taint mode) the solution for this?
    
    Thanks.
    
    Sandeep Giri
    



    This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 16:36:50 PST