Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secprog > 03 > 010275.html (Request Expert securityfocus.com Support)

Re: Can System() of Perl be bypassed?

From: Glynn Clements <glynn.clements(at)virgin.net>
Date: Wed Jan 22 2003 - 17:37:14 EST

Sandeep Giri wrote:

> In my PERL code,I am using user's input as command line argument for the

It depends upon how it is called. The entry for "system" in the perlfunc(1) manpage says:

    Note
    that argument processing varies depending on the     number of arguments. If there is more than one     argument in LIST, or if LIST is an array with more     than one value, starts the program given by the     first element of the list with arguments given by     the rest of the list. If there is only one scalar     argument, the argument is checked for shell     metacharacters, and if there are any, the entire     argument is passed to the system's command shell     for parsing (this is /bin/sh -c on Unix platforms,     but varies on other platforms). If there are no     shell metacharacters in the argument, it is split     into words and passed directly to execvp(), which     is more efficient.

So, if there's a single scalar argument (i.e. you generate a single string by concatenating the user's input with some other data), then yes, the user can execute arbitrary commands.

> Is PERL's -T (Taint mode) the solution for this?

The obvious solution is to either use multiple arguments or an array with more than one element, so that the shell isn't used.

Do you need help?X

There may be advantages to using taint mode as well, but that's a separate issue. 

-- 
Glynn Clements
Received on Wed Jan 22 18:20:49 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:45 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library