mailing list archives
Re: perl-cgi hole in UltimateBB by Infopop Corp.
From: mckinnon () ISIS2000 COM (Bill)
Date: Mon, 14 Feb 2000 15:33:14 -0500
"Sergei A. Golubchik" wrote:
The fix is obvious. But the rule of the thumb is "do not use magic perl open".
At least in cgi scripts. If you want to open regular file, sysopen does
the trick as well.
Isn't open(FH, "< $variable") sufficient to stop any embedded |'s, etc
from doing anything harmful, as well?