Hi Dave,
Thank you for your e-mail! I am doing
system ("...");
at the moment, and I didn't realize the difference between this and
system ($cmd, @args);
I didn't know the difference nor that that the latter is a bit safer. I
will try this as a first step and taint as a long term solution. As I
said in my previous reply, the system is well on its way to being ready,
so I think I would receive too many errors if I turned on taint
immediately. But, I need to read up more about it before I make a decision.
Too many years with Perl, but new to Web development. Never had to
worry about security before with single-user scripts...
Thanks again!
Ray
Dave Rolsky wrote:
> Someone else recommended taint mode, but I'm not a big fan of it. It
> probably won't _hurt_, but I've been bitten by bugs in taint mode way too
> many times (like it breaks the regex engine somehow).
>
> In the particular case of using system() or exec(), the #1 most important
> thing to do is to make sure that you call it with a list of arguments:
>
> system( $cmd, @args );
>
> This ensures that Perl will _not_ pass this command to your system's shell
> for execution. Avoiding the shell avoids all the problems of things like
> semi-colons, etc.
>
> Instead, Perl will just use a system call directly to execute the command.
> That means your command sees the _literal_ value of each argument, without
> any shell interpolation.
>
> Note that I have no idea how this works on non-Unix systems.
>
> Also, this does not protect you from users doing things like putting
> "../../../../../../../../../etc/shadow" as an argument and seeing what
> happens. This you still have to handle yourself.
>
>
> -dave
>
> /*==========================
> VegGuide.Org
> Your guide to all that's veg
> ==========================*/
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users
>
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
