Actually, open is only a security hole if you allow the user to tell you
what to open at the command line.
i don't have the exact message in front of me, but my guess is that someone
said something like:
$_=<STDIN>;
open(IN,"$_|");
In which case if the user entered 'rm -rf /', it would try to delete
everything. This would be especially disastrous if the script were run as a
superuser, in which case everything on the system would irretrievably vanish
in the blink of an eye.
So don't be afraid to use 'open' if you know exactly what you're opening ...
;)
-----Original Message-----
From: Mooney Christophe-CMOONEY1
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 9:41 AM
To: Perl Beginners
Subject: RE: Security Question
'rm -rf .' is a unix command that removes everything in the current
direcotry PERMANENTLY and UNCONDITIONALLY
-----Original Message-----
From: Customer Service [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 9:44 AM
To: Perl Beginners
Subject: Security Question
Dear Sirs,
I first of all wanted to apologize about sending so many redundant questions
to the list. I wasn't aware that my wife was downloading my mail also and I
didn't see all of your replies to previous questions. Won't happen again
;-))
I was reading a reply to a question this morning that stated that the open()
call is a big security hole because someone could put in ";rm -rf ." as the
value for $email.
What does ";rm -rf ." do? Why is it so dangerous?
Nathan Garlington
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
