Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: Trojan Horse? (taint mode)

by jarich (Curate)
on Nov 25, 2001 at 13:06 UTC ( #127375=note: print w/ replies, xml ) Need Help??


in reply to Trojan Horse? (taint mode)

Perl interpolates variables in double quoted strings safely. Everything in the variable is considered to be a literal. So

my $a = q#${system('rm -rf /')}#; print "The command in \$a is $a\n";
will print out:
The command in $a is ${system('rm -rf /')}
and not even attempt to remove my files. Likewise this
my $b = "The command in \$a is $a\n";
sets $b to the string we printed out. Printing $b does exactly the same as the above. The only way this is going to come and cause us grief is if we eval $a - as you've suggested.

Perhaps the author is mistaken or you've misunderstood the reference, can you post the paragraph or two? I've checked the book errata and it's not mentioned anywhere there, but it's a pretty big mistake if you haven't misunderstood it.

Even authors make mistakes. :)


Comment on Re: Trojan Horse? (taint mode)
Select or Download Code
Re: Re: Trojan Horse? (taint mode)
by quinkan (Monk) on Nov 26, 2001 at 05:33 UTC

    The only way this is going to come and cause us grief is if we eval $a ?

    But pause to consider that someone playing with your CGI script has managed to get output redirected to an executable shell script.... Which is often the aim of a malicious hack. If you don't want naughty words appearing in, for example, your system initialisation scripts, it might be a good idea to untaint everything input.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127375]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (11)
As of 2014-09-02 17:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (25 votes), past polls