Re: Can System() of Perl be bypassed?

From: FBO (fbo2at_private)
Date: Thu Jan 23 2003 - 01:32:27 PST

  • Next message: Ian Charnas: "Re: Can System() of Perl be bypassed?"

    Hi,
    
    On Wed, Jan 22, 2003 at 07:03:27AM -0000, Sandeep Giri wrote:
    > 
    > 
    > Hi All,
    > In my PERL code,I am using user's input as command line argument for the 
    > program being executed by System().
    > Can user run command of his choice by giving malicious input?
    > Is PERL's -T (Taint mode) the solution for this?
    I do not have any experiences with tainted mode but maybe these lines
    will help:
    
     $filename=userinput();
     $filenameq=quotemeta($filename);
     system("echo $filenameq");
     
    $filename will be interpreted as single parameter.
    
    
    FBO
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:31:12 PST