On Tue, 2 Sep 2008, Raymond Wan wrote: > Is this safe? If not, does anyone have any advice on what I should do > to ensure this is secure? For example, I was just suggested by someone > that if any user input is passed directly to the external program, it > better not allow the semi-colon or else someone could just add ";ls". > So, this type of suggestion...anything else I should look out for?
Someone else recommended taint mode, but I'm not a big fan of it. It probably won't _hurt_, but I've been bitten by bugs in taint mode way too many times (like it breaks the regex engine somehow). In the particular case of using system() or exec(), the #1 most important thing to do is to make sure that you call it with a list of arguments: system( $cmd, @args ); This ensures that Perl will _not_ pass this command to your system's shell for execution. Avoiding the shell avoids all the problems of things like semi-colons, etc. Instead, Perl will just use a system call directly to execute the command. That means your command sees the _literal_ value of each argument, without any shell interpolation. Note that I have no idea how this works on non-Unix systems. Also, this does not protect you from users doing things like putting "../../../../../../../../../etc/shadow" as an argument and seeing what happens. This you still have to handle yourself. -dave /*========================== VegGuide.Org Your guide to all that's veg ==========================*/ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Mason-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mason-users
