Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: Trojan Horse? (taint mode)

by jarich (Curate)
on Nov 25, 2001 at 13:06 UTC ( #127375=note: print w/replies, xml ) Need Help??

in reply to Trojan Horse? (taint mode)

Perl interpolates variables in double quoted strings safely. Everything in the variable is considered to be a literal. So
my $a = q#${system('rm -rf /')}#; print "The command in \$a is $a\n";
will print out:
The command in $a is ${system('rm -rf /')}
and not even attempt to remove my files. Likewise this
my $b = "The command in \$a is $a\n";
sets $b to the string we printed out. Printing $b does exactly the same as the above. The only way this is going to come and cause us grief is if we eval $a - as you've suggested.

Perhaps the author is mistaken or you've misunderstood the reference, can you post the paragraph or two? I've checked the book errata and it's not mentioned anywhere there, but it's a pretty big mistake if you haven't misunderstood it.

Even authors make mistakes. :)

Replies are listed 'Best First'.
Re: Re: Trojan Horse? (taint mode)
by quinkan (Monk) on Nov 26, 2001 at 05:33 UTC

    The only way this is going to come and cause us grief is if we eval $a ?

    But pause to consider that someone playing with your CGI script has managed to get output redirected to an executable shell script.... Which is often the aim of a malicious hack. If you don't want naughty words appearing in, for example, your system initialisation scripts, it might be a good idea to untaint everything input.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127375]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (8)
As of 2018-04-25 20:42 GMT
Find Nodes?
    Voting Booth?