Re: Can System() of Perl be bypassed?

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Thu Jan 23 2003 - 16:27:49 PST

  • Next message: Jason Coombs: "RE: PGP scripting..."

    On Thu, Jan 23, 2003 at 02:15:43PM -0800, Brian Hatch wrote:
    > > my @args = ($Keywords,....);
    > > my @cmd = ("$JAVA",
    > > 	     "-search.home=$SEARCH_HOME",
    > > 	     "Searcher",
    > > 	     @args);
    > > system(@cmd) == 0) ||error();
    > > 
    > > Need I be more paranoid than this and use my own regex to filter out 
    > > keywords my self?
     
    > However I have no idea if those values could be used to
    > break the program itself ($JAVA).  If this program were
    > running with greater privs (suid, CGI, etc) then they can
    > supply a new $SEARCH_HOME path then they could cause their
    > own code to run.  If there are bad keywords then you aren't
    > doing anything to get rid of them.  (Or, preferably, only
    > allowing good keywords.)
    
    Java (at least Sun's sdk) ignores any options after a class or jar file,
    and passes them to the application instead.
    
    Regards,
    Luciano Rocha
    
    -- 
    Consciousness: that annoying time between naps.
    



    This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 16:37:56 PST