In a message dated: Thu, 07 Mar 2002 10:33:41 EST
Benjamin Scott said:
>> Also, things like path, shell, and other environmental variables are all
>> set using the global "%ENV" hash, which *should* be cleared out and set to
>> known, safe, and accepted defaults.
>
> Which won't matter much if anyone on the web can reset them for you. :-)
I don't believe these can be set from a web form. Usually, when
doing CGI with perl, one uses CGI.pm or something similar, and sets
up the variables allowed to be modified like:
my ($foo) = $q->param("foo");
And that's the only way $foo gets created, you have to at least
explicitly assign to it. I'm not sure how some variable can
automagically come into existence through form and have malicious
content assigned to it. The programmer must state which fields get
assigned to which variables.
It is possible to enter things into a form like:
Name: "$ENV{'PATH'}='/etc'"
or something like that, but unless you then did an eval on that form
variable, nothing's ever going to happen with it. And if you're
eval'ing external code like that, you *really* better know what
you're doing. (I've never, ever used 'eval'. Mostly because I don't
understand how to and I'm petrified of the ramifications if I tried :)
> I agree with everything you said in this message, except for the "I don't
>think that's true part", since I was saying the same thing you are. :-)
Well all right then! As long as that's the case, have it your way ;)
--
Seeya,
Paul
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
