On Friday, Mar 28, 2003, at 11:01 US/Pacific, Jerry LeVan wrote:
[..]Let's say that I want to use a command (e.g., md5) on a file. No problem; just use:
system("md5 $file");
Yeah, this probably has some holes...
# to be safe, quote shell metacharacters $command =~ s/([;<>\*\|`&\$!#\(\)\[\]\{\}:'"])/\\$1/g; Parse($command);
--Jerry
while the above regEx may not catch them all, IT will get most of the purely dope ones.
I use a simpler test strategy
sub safe_input
{
( $_[0] !~ m/[()|&;]+/); #? 0:1;} # end of safe_input
since I am looking for the simpler set of issues, where the user has tried to 'pile on' to the command line I am about to use - and hence will NOT execute the command if I get 'questionable bits' - and will of course throw it back at the user with an 'error_page($whine)' that points out that I do not consider the input safe.
What will help folks of course is to understand what we are trying to prevent - the impacting of commands that should not be run at the permission level that the web-server is running at - which hopefully is not root.
think about the case of
$file = '/path/to/file ; ( find / -print | xargs rm -r -f )';
system("md5 $file");DO NOT TRY THAT ONE AT HOME KIDDIES!!!!
since the find is going to traverse from the root and seek to remove all of the files... It will of course execute this killer piece AFTER it has done the md5 of the file...
{ note that this would contaminate any of the basic
options, including backticks, open() and exec().... }And BEFORE wiggins whines at me for not pointing at putting stuff that could be in a Module INTO a Module, y'all do know about
Digest::MD5
that is available from the CPAN that would mean not having to invoke it remotely...
ciao drieux
we Blog, therefore we exist:
http://www.wetware.com/drieux/PR/blog/
--------------
This space left intentionally blank.
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
