Re: Can System() of Perl be bypassed?

From: Ian Charnas (icc@po.cwru.edu)
Date: 01/23/03

  • Next message: security@pablowe.net: "RE: Standards for developing secure software" 
    From: "Ian Charnas" <icc@po.cwru.edu>
To: "Sandeep Giri" <sandeepgiri@indiatimes.com>, <secprog@securityfocus.com>
Date: Thu, 23 Jan 2003 00:50:05 -0500

    Sandeep, the accepted way to avoid this problem is to use exec() instead of
    system(), like so:

    #!/usr/bin/perl

    ## Author: Ian Charnas <icc at cwru dot edu>
    ## In this example, we pretend there is a web form with one
    ## input field, named "searchstring". This CGI would be the
    ## 'action' for that form, and would simply grep through a file
    ## (say, /usr/share/dict/words ) and return the matching lines.

    ## Modules we'll need
    use IO::Handle;
    use CGI;

    ## Setup CGI
    $query = new CGI;
    print $query->header('text/html');

    my $pipereader = IO::Handle->new();
    my $pipewriter = IO::Handle->new();
    pipe($pipereader, $pipewriter);

    if ($pid=fork()) {
        # this is the child, have it write to $pipewriter
        $pipereader->close();
        open(STDOUT, '>&' . $pipewriter->fileno());
        exec("/bin/grep", $query->param('searchstring'),
    "/usr/share/dict/words");
    }

    ## this is the parent, have it send the matching lines to the client,
    ## separated by a "<BR>"
    $pipewriter->close();
    while ($line = $pipereader->getline()) {print $line . "<BR>";}
    $pipereader->close();

    ----- Original Message -----
    From: "Sandeep Giri" <sandeepgiri@indiatimes.com>
    To: <secprog@securityfocus.com>
    Sent: Wednesday, January 22, 2003 2:03 AM
    Subject: Can System() of Perl be bypassed?

    >
    >
    > Hi All,
    > In my PERL code,I am using user's input as command line argument for the
    > program being executed by System().
    > Can user run command of his choice by giving malicious input?
    > Is PERL's -T (Taint mode) the solution for this?
    >
    > Thanks.
    >
    > Sandeep Giri
    >
    >

    Relevant Pages

    • Re: Two perl installation
      ... It works well when accessed from CGI. ... 1) How do I know which "perl" executable CGI is ... Now when I run perl from command line, ... You have to tell Apache where the new modules installed are. ...
      (perl.beginners)
    • FAQ 9.1 What is the correct form of response from a CGI script?
      ... This message is one of several periodic postings to comp.lang.perl.misc ... from the documentation provided with Perl. ... What is the correct form of response from a CGI script? ... The Common Gateway Interface (CGI) specifies a software interface ...
      (comp.lang.perl.misc)
    • FAQ 9.1 What is the correct form of response from a CGI script?
      ... This message is one of several periodic postings to comp.lang.perl.misc ... from the documentation provided with Perl. ... What is the correct form of response from a CGI script? ... The Common Gateway Interface (CGI) specifies a software interface ...
      (comp.lang.perl.misc)
    • Re: Help with a stragegy for diagnosis
      ... I have a Perl CGI that has work for years. ... first failure and before the second. ... A strategy would be to write tests for the script until you get the same ...
      (comp.lang.perl.moderated)
    • Re: Need help with CGI/ DBI error (permissions?)
      ... >> My other Perl CGI scripts that don't use DBI run OK, ... > able to telepathically decipher your web server configuration, ... problems with serving up *Perl* pages. ... you just said that your other CGI scripts run fine. ...
      (comp.lang.perl.misc)