Sandeep, the accepted way to avoid this problem is to use exec() instead of system(), like so: #!/usr/bin/perl ## Author: Ian Charnas <icc at cwru dot edu> ## In this example, we pretend there is a web form with one ## input field, named "searchstring". This CGI would be the ## 'action' for that form, and would simply grep through a file ## (say, /usr/share/dict/words ) and return the matching lines. ## Modules we'll need use IO::Handle; use CGI; ## Setup CGI $query = new CGI; print $query->header('text/html'); my $pipereader = IO::Handle->new(); my $pipewriter = IO::Handle->new(); pipe($pipereader, $pipewriter); if ($pid=fork()) { # this is the child, have it write to $pipewriter $pipereader->close(); open(STDOUT, '>&' . $pipewriter->fileno()); exec("/bin/grep", $query->param('searchstring'), "/usr/share/dict/words"); } ## this is the parent, have it send the matching lines to the client, ## separated by a "<BR>" $pipewriter->close(); while ($line = $pipereader->getline()) {print $line . "<BR>";} $pipereader->close(); ----- Original Message ----- From: "Sandeep Giri" <sandeepgiriat_private> To: <secprogat_private> Sent: Wednesday, January 22, 2003 2:03 AM Subject: Can System() of Perl be bypassed? > > > Hi All, > In my PERL code,I am using user's input as command line argument for the > program being executed by System(). > Can user run command of his choice by giving malicious input? > Is PERL's -T (Taint mode) the solution for this? > > Thanks. > > Sandeep Giri > >
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:51:40 PST