At 08:28 12.20.2001 -0500, Kevin Meltzer wrote:
>Am I just the overly paranoid one? But IMO doing this can be dangerous.
>Tainting isn't just for CGIs, and adding a -T to this shows it can be
>dangerous ($ENV{PATH} issue, since you don't really know what uptime you will
>end up calling). Again, I may be the overly-paranoid (read safe) one :)
There is nothing wrong with being overly paranoid except that if you are
over paranoid all the time you might as well turn your computer off, unplug
it from the wall and the ethernet, and lock it up in a box since that would
be the safest it could be. =P
OTH, you point out an obvious possibility. At this point it would be up to
the end-user to be careful since technically it will run the first 'uptime'
it finds in the existing $ENV{PATH}. Any script you run has the
possibility of running an unknown binary but I get the idea that this isn't
going to be used for CGI (which is good) and I am not sure what else you
could do. 'uptime' is a pretty harmless program but then again, its that
kind of thinking that gets us in trouble.
- Jim
>Cheers,
>Kevin
>
>On Thu, Dec 20, 2001 at 12:16:49AM -0800, John W. Krahn ([EMAIL PROTECTED])
>said something similar to:
> > Or simply:
> >
> > perl -le'print join",",(split/,/,`uptime`)[0..2]'
> >
>
>--
>[Writing CGI Applications with Perl - http://perlcgi-book.com]
>Stupidity is the basic building block of the universe.
> -- Frank Zappa
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
- Jim
Philosophy is for those who have nothing better to do than wonder
why philosophy is for those who have nothing better to do than...
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
