Re: [Catalyst] Re: How to redirect before some code excute

Thu, 26 Oct 2006 13:58:01 -0700 

Ah, injection. Yes, you're completely right. My meaning in $cmd was to say, 
"whatever your command is"

Personally, I tend to only only interpret input, as apposed to using it 
directly. ie;
  $cmd_to_run = $allowed_commands{$input_cmd_menu_item}

...but now I'm OT. ;)


---
Rodney Broom

----- Original Message ----- 
From: "Jonathan Rockway" <[EMAIL PROTECTED]>
To: "The elegant MVC web framework" <[email protected]>
Sent: Thursday, October 26, 2006 13:01
Subject: Re: [Catalyst] Re: How to redirect before some code excute


> > How come?
> 
> I recommend reading "perldoc perlsec".  The one-argument form of
> C<system> invokes the system's shell to process the command (usually),
> leading to a number of possible security problems.  Basically you're
> entering into the fun game of trying to escape all possible bad inputs,
> which is pretty close to impossible.
> 
> You can do better if you use the list form:
> 
>     system('date', '+%s');
> 
> That will call execvp directly, meaning that quotes, slashes, etc.
> become meaningless.
> 
> There's still a subtle security problem, though.  If $ENV{PATH} happens
> to be some place that an attacker can write (maybe /tmp if file uploads
> are allowed), then a 'date' in there could be executable code or a shell
> script, or whatever.
> 
> Anyway, you *can* invoke the shell from your app, but you're playing
> with fire and should be aware of the risks.
> 
> -- 
> package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
> $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
> ";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
> 
> _______________________________________________
> List: [email protected]
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/[email protected]/
> Dev site: http://dev.catalyst.perl.org/
>

_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/

Reply via email to