On Tue, 15 Feb 2000, Andrew Danforth wrote:
> On Mon, 14 Feb 2000, Bill wrote:
>
> > Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
> > from doing anything harmful, as well?
>
> Not really. Consider the following snippet:
>
> open PASSWD, '< /etc/passwd';
> $var = '&PASSWD'; # also try $var = '&3';
> open IN, "< $var";
> print while (<IN>);
>
> Perl's open will dup other file descriptors if < is followed by &. This
> isn't as potentially problematic as forking commands, but there may be
> circumstances where someone could dup a filehandle and cause your script
> to behave strangely/output sensitive information/etc.
>
> Andrew
Interesting. And for the curious, this doesn't seem to be noticed by
Perl's tainting mechanism, unless I'm misunderstanding something:
$ perl -T - '&PW'
open(PW, "/etc/passwd") or die "open(): $!\n";
$var = shift;
open(FH, "< $var") or die "open(): $!\n";
print <FH>;
(hit CTRL D here)
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
...
etc
Anyway, this is probably getting off topic...
- Bill
Received on Feb 17 2000
Intro
