Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Trojan Horse? (taint mode)

by jarich (Curate)
on Nov 25, 2001 at 13:06 UTC ( #127375=note: print w/ replies, xml ) Need Help??


in reply to Trojan Horse? (taint mode)

Perl interpolates variables in double quoted strings safely. Everything in the variable is considered to be a literal. So

my $a = q#${system('rm -rf /')}#; print "The command in \$a is $a\n";
will print out:
The command in $a is ${system('rm -rf /')}
and not even attempt to remove my files. Likewise this
my $b = "The command in \$a is $a\n";
sets $b to the string we printed out. Printing $b does exactly the same as the above. The only way this is going to come and cause us grief is if we eval $a - as you've suggested.

Perhaps the author is mistaken or you've misunderstood the reference, can you post the paragraph or two? I've checked the book errata and it's not mentioned anywhere there, but it's a pretty big mistake if you haven't misunderstood it.

Even authors make mistakes. :)


Comment on Re: Trojan Horse? (taint mode)
Select or Download Code
Re: Re: Trojan Horse? (taint mode)
by quinkan (Monk) on Nov 26, 2001 at 05:33 UTC

    The only way this is going to come and cause us grief is if we eval $a ?

    But pause to consider that someone playing with your CGI script has managed to get output redirected to an executable shell script.... Which is often the aim of a malicious hack. If you don't want naughty words appearing in, for example, your system initialisation scripts, it might be a good idea to untaint everything input.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127375]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (16)
As of 2015-07-06 12:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (74 votes), past polls