On Friday, Mar 28, 2003, at 12:19 US/Pacific, Bob Showalter wrote:
drieux wrote:... think about the case of
$file = '/path/to/file ; ( find / -print | xargs rm -r -f )'; system("md5 $file");
DO NOT TRY THAT ONE AT HOME KIDDIES!!!!
Wouldn't
system('md5', $file);
Be safer, since the list form of system() bypasses the shell? Consider:
$ perl -e "system('md5 /etc/passwd; echo Hello')" MD5 (/etc/passwd) = 232522a1340d0956071c7b8b005a627b Hello
versus:
$ perl -e "system('md5','/etc/passwd; echo Hello')" md5: /etc/passwd; echo Hello: No such file or directory
You are correct that this clearly demonstrates - in a much more safe way - the 'piling on' problem - and how that would be detected.
And hence why I basically like the strategy of putting the Args in the additional fields, as in your second case.
A part of why I opted for the test if the input is safe before proceeding is that it provides a more 'generic' interface to the problem of getting information from a web browser to be dealt with - and with that help people think in terms of how they are planning to manage the exception cases.
One could of course go with trapping the problem the old fashion way of
if( -f $file )
{
$md5_digest_value = system('md5', $file);
}
else
{
return(error_page($no_file_whine);
}We might also argue with say
#!/usr/bin/perl -w
use strict;
use Digest::MD5;
open(FD,"/etc/passwd") || die "no such file:$! ";
my $ctx = Digest::MD5->new;
$ctx->addfile(*FD);
my $digest = $ctx->md5_hex;
print $digest . "\n";
close(FD);in which we have not had to go out for the system but stayed inside perl....
YMMV, VWPBL, MCLRICRL,
HTH.
ciao drieux
we Blog, therefore we exist:
http://www.wetware.com/drieux/PR/blog/
--------------
This space left intentionally blank.
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
