Re: Can System() of Perl be bypassed?
From: Glynn Clements (glynn.clements@virgin.net)
Date: 01/24/03
- Previous message: Jose Nazario: "Re: Secure programming FAQ?"
- In reply to: Sandeep Giri: "Re: Can System() of Perl be bypassed?"
- Next in thread: NESTING, DAVID M (SBCSI): "RE: Can System() of Perl be bypassed?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Glynn Clements <glynn.clements@virgin.net> Date: Thu, 23 Jan 2003 23:00:40 +0000 To: Sandeep Giri <sandeepgiri@indiatimes.com>
Sandeep Giri wrote:
> Thanks a lot to you and all who replied to my mesg.
> Taking chapter from replies,now I've changed my code to:
>
> #!/usr/bin/perl -T -W
> my $key_words;
> my $help;
> GetOptions('kw=s' => \$key_words,
> 'help' => \$help) || usage();
> my @args = ($Keywords,....);
> my @cmd = ("$JAVA",
> "-search.home=$SEARCH_HOME",
> "Searcher",
> @args);
> system(@cmd) == 0) ||error();
>
> Need I be more paranoid than this and use my own regex to filter out
> keywords my self?
By passing an array to system(), you ensure that the shell won't be
used.
There's still the issue of whether the target program can cope with
every possible combination of arguments which might be thrown at it.
That's really an issue for the target program itself rather than the
script which calls it. However, if you have any doubts about the
vulnerability of the target program, you might want to limit its
arguments to only those which make sense.
After all, there wouldn't be any need for mail servers to perform
virus scanning if Outlook etc weren't actually susceptible to viruses.
-- Glynn Clements <glynn.clements@virgin.net>
- Next message: Jason Coombs: "RE: PGP scripting..."
- Previous message: Jose Nazario: "Re: Secure programming FAQ?"
- In reply to: Sandeep Giri: "Re: Can System() of Perl be bypassed?"
- Next in thread: NESTING, DAVID M (SBCSI): "RE: Can System() of Perl be bypassed?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
