>>>>> "Rob" == Rob Dixon <[EMAIL PROTECTED]> writes:
Rob> Randal L. Schwartz wrote:
>>
>> >>>>> "Dan" == Dan Muey <[EMAIL PROTECTED]> writes:
>>
Dan> for(`ls /files/`) {
Dan> if(`cat $_ |grep $string`) { push(@matchedfiles,$_); }
Dan> }
>>
>> Hmm. Where to begin?
>>
>> - Dangerous use of ls.
>> - Useless use of cat.
>> - Dangerous use of backticks.
>> - Shelling out when every one of those steps is done as well
>> or better by Perl.
>> - Insecure use of child shells
Rob> Hi Randal.
Rob> I'll buy most of those, but wonder at your choice of 'dangerous'
Rob> and 'insecure'?
Rob> The return from the 'ls' bactick is certainly unpredictable and
Rob> dependent on context. Is that what you mean? And surely backticks
Rob> can't be inherently dangerous in any sense, only the command line
Rob> that they embrace?
It's not a full PATH, hence it is subject to PATH manipulation.
It doesn't deal with filenames that contain newlines.
Rob> It would be useful if you could explain what security breaches
Rob> are potentiated by 'child shells' (and isn't this just another
Rob> phrase for 'backticks'?)
Rob> 'Shelling out' ('backticks' again) is a symptom of the
Rob> misconception of Perl as a scripting language, and I think the
Rob> criticism is better made in those terms. It is comparable to
Rob> the weak code arising from misconceiving Perl as being C.
Rob> It helps to stand a few more up when you knock some down :)
Rather than repeat it, I'll merely point you to my latest
UR column at <http://www.stonehenge.com/merlyn/UnixReview/col48.html>.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
