Re: Can System() of Perl be bypassed?

From: FBO (fbo2@gmx.net)
Date: Thu Jan 23 2003 - 01:32:27 PST

Next message: Ian Charnas: "Re: Can System() of Perl be bypassed?"

Previous message: Tom Arseneault: "RE: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Ian Charnas: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Wed, Jan 22, 2003 at 07:03:27AM -0000, Sandeep Giri wrote:
> 
> 
> Hi All,
> In my PERL code,I am using user's input as command line argument for the 
> program being executed by System().
> Can user run command of his choice by giving malicious input?
> Is PERL's -T (Taint mode) the solution for this?
I do not have any experiences with tainted mode but maybe these lines
will help:

 $filename=userinput();
 $filenameq=quotemeta($filename);
 system("echo $filenameq");
 
$filename will be interpreted as single parameter.


FBO

Next message: Ian Charnas: "Re: Can System() of Perl be bypassed?"
Previous message: Tom Arseneault: "RE: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Ian Charnas: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:31:12 PST