[Catalyst] Re: How to redirect before some code excute
Rodney Broom
rbroom+catalyst at rbroom.com
Thu Oct 26 21:39:35 BST 2006
Ah, injection. Yes, you're completely right. My meaning in $cmd was to say, "whatever your command is"
Personally, I tend to only only interpret input, as apposed to using it directly. ie;
$cmd_to_run = $allowed_commands{$input_cmd_menu_item}
...but now I'm OT. ;)
---
Rodney Broom
----- Original Message -----
From: "Jonathan Rockway" <jon at jrock.us>
To: "The elegant MVC web framework" <catalyst at lists.rawmode.org>
Sent: Thursday, October 26, 2006 13:01
Subject: Re: [Catalyst] Re: How to redirect before some code excute
> > How come?
>
> I recommend reading "perldoc perlsec". The one-argument form of
> C<system> invokes the system's shell to process the command (usually),
> leading to a number of possible security problems. Basically you're
> entering into the fun game of trying to escape all possible bad inputs,
> which is pretty close to impossible.
>
> You can do better if you use the list form:
>
> system('date', '+%s');
>
> That will call execvp directly, meaning that quotes, slashes, etc.
> become meaningless.
>
> There's still a subtle security problem, though. If $ENV{PATH} happens
> to be some place that an attacker can write (maybe /tmp if file uploads
> are allowed), then a 'date' in there could be executable code or a shell
> script, or whatever.
>
> Anyway, you *can* invoke the shell from your app, but you're playing
> with fire and should be aware of the risks.
>
> --
> package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
> $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
> ";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
>
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
> Dev site: http://dev.catalyst.perl.org/
>
More information about the Catalyst
mailing list