Tom Allison said:
> I'm trying to make a little perl script that reads the subject > lines from email. > > Problem that I see is being able to correctly remove the "bad" > characters, like embedding perl code into the subject line... > > Example: > Subject: Hello `rm -rf /*` have a nice day! > Would, I suspect, be a bad thing to have. > > True? Would it execute? That depends on what you do with it. If it's just a string that you are passing around there's no problem. If you (string) eval the subject for some reason then you should be wary. If it gets to the shell somehow, maybe by using it as a filename to open, then you should also be careful. > Is there some safe way to be sure to catch everything? A magic bullet? I doubt it. There's no substitute for thinking hard about what you want to do. But, Use strict, warnings and tainting. It's probably safer to specify the characters which are allowed, rather than those which aren't. And the smaller you can make that set, the less you'll have to worry about. Of course, that goes against the principal of being liberal in what you accept, so you'll have to make your own judgement. -- Paul Johnson - [EMAIL PROTECTED] http://www.pjcj.net -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
