Re: Can System() of Perl be bypassed?

From: FBO (fbo2@gmx.net)
Date: 01/23/03

  • Next message: Ian Charnas: "Re: Can System() of Perl be bypassed?" 
    Date: Thu, 23 Jan 2003 10:32:27 +0100
From: FBO <fbo2@gmx.net>
To: secprog@securityfocus.com

    Hi,

    On Wed, Jan 22, 2003 at 07:03:27AM -0000, Sandeep Giri wrote:
    >
    >
    > Hi All,
    > In my PERL code,I am using user's input as command line argument for the
    > program being executed by System().
    > Can user run command of his choice by giving malicious input?
    > Is PERL's -T (Taint mode) the solution for this?
    I do not have any experiences with tainted mode but maybe these lines
    will help:

     $filename=userinput();
     $filenameq=quotemeta($filename);
     system("echo $filenameq");
     
    $filename will be interpreted as single parameter.

    FBO

    Relevant Pages

    • Re: Can System() of Perl be bypassed?
      ... It is actually is covered in Perl documentation. ... Still if you let arbitrary user input as an argument to some program ... SG> Can user run command of his choice by giving malicious input? ... SG> Is PERL's -T (Taint mode) the solution for this? ...
      (SecProg)
    • RE: Can System() of Perl be bypassed?
      ... single-argument form of system) causes the shell to parse and interpret ... Can Systemof Perl be bypassed? ... In my PERL code,I am using user's input as command line argument for the ... Is PERL's -T (Taint mode) the solution for this? ...
      (SecProg)
    • Can System() of Perl be bypassed?
      ... ('binary' encoding is not supported, ... In my PERL code,I am using user's input as command line argument for the ... Is PERL's -T (Taint mode) the solution for this? ...
      (SecProg)
    • Re: Wait for background processes to complete
      ... To be able to execute commands in the background and wait for their ... The documentation I am referring to is http://perldoc.perl.org/. ... You can run a command in the background with: ... There is a general problem with perl documentation: ...
      (comp.lang.perl.misc)
    • Re: Perl For Amateur Computer Programmers
      ... >professional computer programmers could use with the same ease as Basic. ... >Perl For Amateur Computer Programmers ... Also, taking into account that you're appealing to "scientists", it ... Also, as a side note, you seem to use the noun "command" in a naive ...
      (comp.lang.perl.misc)