Re: Can System() of Perl be bypassed?

From: Ian Charnas (iccat_private)
Date: Wed Jan 22 2003 - 21:50:05 PST

  • Next message: securityat_private: "RE: Standards for developing secure software"

    Sandeep, the accepted way to avoid this problem is to use exec() instead of
    system(), like so:
    
    #!/usr/bin/perl
    
    ## Author: Ian Charnas <icc at cwru dot edu>
    ## In this example, we pretend there is a web form with one
    ## input field, named "searchstring".  This CGI would be the
    ## 'action' for that form, and would simply grep through a file
    ## (say, /usr/share/dict/words ) and return the matching lines.
    
    ## Modules we'll need
    use IO::Handle;
    use CGI;
    
    ## Setup CGI
    $query = new CGI;
    print $query->header('text/html');
    
    my $pipereader = IO::Handle->new();
    my $pipewriter = IO::Handle->new();
    pipe($pipereader, $pipewriter);
    
    if ($pid=fork()) {
        # this is the child, have it write to $pipewriter
        $pipereader->close();
        open(STDOUT, '>&' . $pipewriter->fileno());
        exec("/bin/grep", $query->param('searchstring'),
    "/usr/share/dict/words");
    }
    
    ## this is the parent, have it send the matching lines to the client,
    ## separated by a "<BR>"
    $pipewriter->close();
    while ($line = $pipereader->getline()) {print $line . "<BR>";}
    $pipereader->close();
    
    ----- Original Message -----
    From: "Sandeep Giri" <sandeepgiriat_private>
    To: <secprogat_private>
    Sent: Wednesday, January 22, 2003 2:03 AM
    Subject: Can System() of Perl be bypassed?
    
    
    >
    >
    > Hi All,
    > In my PERL code,I am using user's input as command line argument for the
    > program being executed by System().
    > Can user run command of his choice by giving malicious input?
    > Is PERL's -T (Taint mode) the solution for this?
    >
    > Thanks.
    >
    > Sandeep Giri
    >
    >
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:51:40 PST