In a message dated: Thu, 07 Mar 2002 08:36:13 EST Benjamin Scott said:
> Using this feature, an HTML form variable called "foo" results in a >language variable called "$foo" (in Perl, at least). So the attacker >submits the "form" with extra variables that do things like change your >path, shell, internal authentication variables, etc., etc. Basically, the >attacker can modify your program's state at will. I don't think that's true. Yes, you can set variables like that, but you can also turn that off and state explicity what variables get set from the HTML form. Also, things like path, shell, and other environmental variables are all set using the global "%ENV" hash, which *should* be cleared out and set to known, safe, and accepted defaults. Perl also has "taint-checking" available which should always be used for stuff like this. While I agree that Perl has many of the "features" you're complaining about, it is also completely possible to use them in a safe and consistent manner without getting into trouble. Again, it comes down to safe programming practices. If you know what you're doing, you're fine, if you don't, then you shouldn't be trying to pass as someone who does. Cars are completely safe if used properly. There are a lot of people on the road who claim to be and attempt to pass for someone who knows what they're doing and don't. Because of them, the rest of us pay exhorbitant insurance rates :) -- Seeya, Paul ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
