Sandeep Giri wrote:
> Thanks a lot to you and all who replied to my mesg.
> Taking chapter from replies,now I've changed my code to:
>
> #!/usr/bin/perl -T -W
> my $key_words;
> my $help;
> GetOptions('kw=s' => \$key_words,
> 'help' => \$help) || usage();
> my @args = ($Keywords,....);
> my @cmd = ("$JAVA",
> "-search.home=$SEARCH_HOME",
> "Searcher",
> @args);
> system(@cmd) == 0) ||error();
>
> Need I be more paranoid than this and use my own regex to filter out
> keywords my self?
By passing an array to system(), you ensure that the shell won't be
used.
There's still the issue of whether the target program can cope with
every possible combination of arguments which might be thrown at it.
That's really an issue for the target program itself rather than the
script which calls it. However, if you have any doubts about the
vulnerability of the target program, you might want to limit its
arguments to only those which make sense.
After all, there wouldn't be any need for mail servers to perform
virus scanning if Outlook etc weren't actually susceptible to viruses.
--
Glynn Clements <glynn.clementsat_private>
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 10:18:00 PST