Sandeep, the accepted way to avoid this problem is to use exec() instead of
system(), like so:
#!/usr/bin/perl
## Author: Ian Charnas <icc at cwru dot edu>
## In this example, we pretend there is a web form with one
## input field, named "searchstring". This CGI would be the
## 'action' for that form, and would simply grep through a file
## (say, /usr/share/dict/words ) and return the matching lines.
## Modules we'll need
use IO::Handle;
use CGI;
## Setup CGI
$query = new CGI;
print $query->header('text/html');
my $pipereader = IO::Handle->new();
my $pipewriter = IO::Handle->new();
pipe($pipereader, $pipewriter);
if ($pid=fork()) {
# this is the child, have it write to $pipewriter
$pipereader->close();
open(STDOUT, '>&' . $pipewriter->fileno());
exec("/bin/grep", $query->param('searchstring'),
"/usr/share/dict/words");
}
## this is the parent, have it send the matching lines to the client,
## separated by a "<BR>"
$pipewriter->close();
while ($line = $pipereader->getline()) {print $line . "<BR>";}
$pipereader->close();
----- Original Message -----
From: "Sandeep Giri" <sandeepgiri@indiatimes.com>
To: <secprog@securityfocus.com>
Sent: Wednesday, January 22, 2003 2:03 AM
Subject: Can System() of Perl be bypassed?
>
>
> Hi All,
> In my PERL code,I am using user's input as command line argument for the
> program being executed by System().
> Can user run command of his choice by giving malicious input?
> Is PERL's -T (Taint mode) the solution for this?
>
> Thanks.
>
> Sandeep Giri
>
>
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:51:40 PST