Re: Can System() of Perl be bypassed?

From: Glynn Clements (glynn.clements@virgin.net)
Date: 01/22/03

Next message: Dana Epp: "Re: Can System() of Perl be bypassed?"

Previous message: Ilya Martynov: "Re: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Dana Epp: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Glynn Clements <glynn.clements@virgin.net>
Date: Wed, 22 Jan 2003 22:37:14 +0000
To: Sandeep Giri <sandeepgiri@indiatimes.com>

Sandeep Giri wrote:

> In my PERL code,I am using user's input as command line argument for the
> program being executed by System().
> Can user run command of his choice by giving malicious input?

It depends upon how it is called. The entry for "system" in the
perlfunc(1) manpage says:

    Note
    that argument processing varies depending on the
    number of arguments. If there is more than one
    argument in LIST, or if LIST is an array with more
    than one value, starts the program given by the
    first element of the list with arguments given by
    the rest of the list. If there is only one scalar
    argument, the argument is checked for shell
    metacharacters, and if there are any, the entire
    argument is passed to the system's command shell
    for parsing (this is /bin/sh -c on Unix platforms,
    but varies on other platforms). If there are no
    shell metacharacters in the argument, it is split
    into words and passed directly to execvp(), which
    is more efficient.

So, if there's a single scalar argument (i.e. you generate a single
string by concatenating the user's input with some other data), then
yes, the user can execute arbitrary commands.

> Is PERL's -T (Taint mode) the solution for this?

The obvious solution is to either use multiple arguments or an array
with more than one element, so that the shell isn't used.

There may be advantages to using taint mode as well, but that's a
separate issue.

-- 
Glynn Clements <glynn.clements@virgin.net>

Next message: Dana Epp: "Re: Can System() of Perl be bypassed?"
Previous message: Ilya Martynov: "Re: Can System() of Perl be bypassed?"
In reply to: Sandeep Giri: "Can System() of Perl be bypassed?"
Next in thread: Dana Epp: "Re: Can System() of Perl be bypassed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Redirection issue
... 1- execute input commands from standard input, ... the phrase "it does not work anymore" carries very little meaning. ... after compilation and execution of the shell with a simple command like ... all the command in the file are executed as well. ...
(comp.lang.c)
Re: Redirection issue
... 1- execute input commands from standard input, ... the phrase "it does not work anymore" carries very little meaning. ... after compilation and execution of the shell with a simple command like ... all the command in the file are executed as well. ...
(comp.lang.c)
Re: shell scripting
... and am assuming an sh-compatible shell here.... ... command 1 options arguments ... To run the script, do: ... then you need to use the full path to execute it: ...
(comp.unix.questions)
Re: shell scripting
... and am assuming an sh-compatible shell here.... ... command 1 options arguments ... To run the script, do: ... then you need to use the full path to execute it: ...
(comp.unix.shell)
Bash-4.0 available for FTP
... Unlike previous bash distributions, this tar file includes the formatted ... The shell has been changed to be more ... rigorous about parsing commands inside command substitutions, ... Changes have been made to the Readline library being released at ...
(gnu.announce)