RE: Secure Form Script?
From: Glynn Clements (glynn.clements_at_virgin.net)
Date: 05/16/04
- Previous message: Tim Greer: "RE: Secure Form Script?"
- In reply to: Bryce Porter: "RE: Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 May 2004 10:52:05 +0100 To: "Bryce Porter" <bporter@heart.net>
Bryce Porter wrote:
> Also, what if you call sendmail directly, but quote it wrong? Someone
> could send an email with '; cat /etc/passwd' or whatever they wanted in
> it, and have it be executed with the same permissions the script is
> running as. Directly executing anything is a big risk no matter how you
> look at it, as far as I'm concerned.
No. The risk isn't in *directly* executing a program; it's executing
it via the shell.
So long as you use an interface which allows you to specify the
individual arguments (argv[]) directly, as opposed to a single string
which is passed to the shell, you don't have to worry about
shell-syntax issues.
In perl, if you pass an array with more than one element to either
exec or system, the command is executed directly without using the
shell.
OTOH, if you pass a scalar or a single-element array, it may be passed
to the shell (if the string contains no shell metacharacters, perl
will use its own trivial shell emulation instead). Similarly,
backticks use the shell.
-- Glynn Clements <glynn.clements@virgin.net>
- Previous message: Tim Greer: "RE: Secure Form Script?"
- In reply to: Bryce Porter: "RE: Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
