Re: Can System() of Perl be bypassed?

From: Glynn Clements (glynn.clementsat_private)
Date: Thu Jan 23 2003 - 15:00:40 PST

  • Next message: Jason Coombs: "RE: PGP scripting..."

    Sandeep Giri wrote:
    
    > Thanks a lot to you and all who replied to my mesg.
    > Taking chapter from replies,now I've changed my code to:
    > 
    > #!/usr/bin/perl -T -W 
    > my $key_words;
    > my $help;
    > GetOptions('kw=s'    => \$key_words,
    > 	     'help'    => \$help) || usage();
    > my @args = ($Keywords,....);
    > my @cmd = ("$JAVA",
    > 	     "-search.home=$SEARCH_HOME",
    > 	     "Searcher",
    > 	     @args);
    > system(@cmd) == 0) ||error();
    > 
    > Need I be more paranoid than this and use my own regex to filter out 
    > keywords my self?
    
    By passing an array to system(), you ensure that the shell won't be
    used.
    
    There's still the issue of whether the target program can cope with
    every possible combination of arguments which might be thrown at it. 
    
    That's really an issue for the target program itself rather than the
    script which calls it. However, if you have any doubts about the
    vulnerability of the target program, you might want to limit its
    arguments to only those which make sense.
    
    After all, there wouldn't be any need for mail servers to perform
    virus scanning if Outlook etc weren't actually susceptible to viruses.
    
    -- 
    Glynn Clements <glynn.clementsat_private>
    



    This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 10:18:00 PST