RE: Security Question (follow-up question)

Tue, 31 Jul 2001 07:47:04 -0700 

This is somewhat alarming to me because I hadn't realized this potential
before, but is there an easy way to check what is being opened. Would using a
-f() or -d() to verify that you were actually opening a file or directory do
the trick?

-Bob

--- Mooney Christophe-CMOONEY1 <[EMAIL PROTECTED]> wrote:
> Actually, open is only a security hole if you allow the user to tell you
> what to open at the command line.
> 
> i don't have the exact message in front of me, but my guess is that someone
> said something like:
> 
> $_=<STDIN>;
> open(IN,"$_|");
> 
> In which case if the user entered 'rm -rf /', it would try to delete
> everything.  This would be especially disastrous if the script were run as a
> superuser, in which case everything on the system would irretrievably vanish
> in the blink of an eye.
> 
> So don't be afraid to use 'open' if you know exactly what you're opening ...
> ;)
> 
> -----Original Message-----
> From: Mooney Christophe-CMOONEY1
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 9:41 AM
> To: Perl Beginners
> Subject: RE: Security Question
> 
> 
> 'rm -rf .' is a unix command that removes everything in the current
> direcotry PERMANENTLY and UNCONDITIONALLY
> 
> -----Original Message-----
> From: Customer Service [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 9:44 AM
> To: Perl Beginners
> Subject: Security Question
> 
> 
> Dear Sirs,
> I first of all wanted to apologize about sending so many redundant questions
> to the list.  I wasn't aware that my wife was downloading my mail also and I
> didn't see all of your replies to previous questions.  Won't happen again
> ;-))
> 
> I was reading a reply to a question this morning that stated that the open()
> call is a big security hole because someone could put in ";rm -rf ."  as the
> value for $email.
> What does ";rm -rf ." do?  Why is it so dangerous?
> 
> Nathan Garlington
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> 
> 
> -- 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> -- 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to