--- "Randal L. Schwartz" <[EMAIL PROTECTED]> wrote:
> >>>>> "Rene" == Rene Verharen <[EMAIL PROTECTED]> writes:
>
> Rene> The (sub)dirs I want to create are input from a form, so I had to
> Rene> change your example a little because
>
> Rene> my @dir=qw($FORM{'dir'});
>
> No no no! This is a security hole, unless you've also validated the
> data using code you didn't show. Please either *say* that or *show*
> that... we have a lot of beginners looking over your shoulder.
The amusing thing is, in this tiny example, this winds up NOT being a security hole
only because
the author forgot (or didn't know) that qw// does not interpolate variables (perldoc
perlop):
$ perl -e '
$FORM{'dir'} = shift;
my @dir = qw($FORM{'dir'});
print "@dir\n$FORM{'dir'}"' 'rm -fr /'
$FORM{dir}
rm -fr /
Blind luck saves the day (though, to be fair, once that programmer realizes the
problem, the fix
would probably introduce a security problem).
Cheers,
Curtis "Ovid" Poe
=====
"Ovid" on http://www.perlmonks.org/
Someone asked me how to count to 10 in Perl:
push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
