Brandon McCaig wrote:
Actually, forget the malicious users. If a script is being invoked
directly by a user then it'll probably not be malicious (who would
remove their home directory, and if they were going to why would they
use your script to do it?).

The problem isn't in scripts the users run directly, it's in the ones they run indirectly, as server code. A CGI is run under the userid of the web server; the user running it may not even have a userid on the system. In server code, you should do everything you can to prevent code injection, including running in full taint mode:

#!/usr/bin/perl -T

See `perldoc perlrun` and search for /\-T/ for details. Also see `perldoc perlsec`


--
Just my 0.00000002 million dollars worth,
  Shawn

Programming is as much about organization and communication
as it is about coding.

I like Perl; it's the only language where you can bless your
thingy.

Eliminate software piracy:  use only FLOSS.

--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/


Reply via email to