On Thu, 7 Mar 2002, at 8:40am, [EMAIL PROTECTED] wrote: >> Using this feature, an HTML form variable called "foo" results in a >> language variable called "$foo" (in Perl, at least). So the attacker >> submits the "form" with extra variables that do things like change your >> path, shell, internal authentication variables, etc., etc. Basically, >> the attacker can modify your program's state at will. > > I don't think that's true. Yes, you can set variables like that, but > you can also turn that off and state explicity what variables get set > from the HTML form.
Ummm... huh? That is what I said. It is a bad idea to use these features, but they are there, for many different platforms. > Also, things like path, shell, and other environmental variables are all > set using the global "%ENV" hash, which *should* be cleared out and set to > known, safe, and accepted defaults. Which won't matter much if anyone on the web can reset them for you. :-) > While I agree that Perl has many of the "features" you're complaining > about, it is also completely possible to use them in a safe and consistent > manner without getting into trouble. Uhhh... yah. That was my point. I agree with everything you said in this message, except for the "I don't think that's true part", since I was saying the same thing you are. :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
