On Thu, 17 Feb 2000, I wrote:
> Perl's tainting mechanism only comes into play if you are invoking a
> external command in some way: via system, exec, backticks, or opening a
> filehandle to or from a pipe. For example,
I need to correct myself here, before Randall does it for me. :)
Perl's tainting mechanism will also come into play when opening a
filehandle for writing:
[bsides@koala /tmp]$ cat splort.pl
#!/usr/bin/perl -T
$ENV{PATH}=''; # we need a safe path
$ENV{BASH_ENV}=''; # and a safe bash env
open(PW, ">$ARGV[0]") or die $!;
print PW "splort\nsplort\nsplort\n";
__END__
[bsides@koala /tmp]$ ./splort.pl splort
Insecure dependency in open while running with -T switch at ./splort.pl
line 4.
--
Brock Sides
Unix Systems Administration
Towery Publishing
[EMAIL PROTECTED]
- perl-cgi hole in UltimateBB by Infopop Corp. Sergei A. Golubchik
- Re: perl-cgi hole in UltimateBB by Infopop Corp. H D Moore
- Re: perl-cgi hole in UltimateBB by Infopop Co... Charles Capps
- Re: perl-cgi hole in UltimateBB by Infopop Co... Michael Wood
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bill
- Re: perl-cgi hole in UltimateBB by Infopop Co... Andrew Danforth
- Re: perl-cgi hole in UltimateBB by Infopo... Bill McKinnon
- Re: perl-cgi hole in UltimateBB by In... Brock Sides
- Re: perl-cgi hole in UltimateBB ... Brock Sides
- Re: perl-cgi hole in Ultimat... Bennett Todd
- Re: perl-cgi hole in UltimateBB ... Dennis Taylor
- Re: perl-cgi hole in UltimateBB by In... Randal L. Schwartz
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt
- Re: perl-cgi hole in UltimateBB by Infopop Co... Jordan Ritter
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Irwin Lazar
