On Fri, Sep 15, 2000 at 09:19:14AM -0400, Chaim Frenkel wrote:
> >>>>> "JH" == Jarkko Hietaniemi <[EMAIL PROTECTED]> writes:
>
> >> (Someone remind me, What is the point of -T if not running setuid?)
> JH> Being paranoid is never a bad idea because They are always out to get you.
>
> That's fine, but tell me what security breach can be caused by not having
> a -T?
It can be a development tool for the white hat. The -T forces you
to think where does your data come from and sanitize your data carefully.
> The perl code is available to be read. So what can a perl program do
It may not be. Think CGI.
> that the black hat couldn't by tweaking the code? The code is running
> under the black hat's priviledges and uid.
The code is running under what ever poor security measures the silly
subclued webmaster set it up to be, and has access to which ever files
yadayadayada.
--
$jhi++; # http://www.iki.fi/jhi/
# There is this special biologist word we use for 'stable'.
# It is 'dead'. -- Jack Cohen
