Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re(dmm): Trojan Horse? (taint mode)

by dmmiller2k (Chaplain)
on Nov 28, 2001 at 01:21 UTC ( #127917=note: print w/replies, xml ) Need Help??

in reply to Re: Trojan Horse? (taint mode)
in thread Trojan Horse? (taint mode)

The author warns that a string like "$a" does variable interpolation. No surprise there. Then he say's "But you now know that "a" can be replaced ba a block as long as it returns a reference to a scalar..." and so we should be worried about someone filling a variable with {system('/bin/rm -rf /*')} and maybe doing 'bad things' to us.

In my humble opinion, by his statement, "a" can be replaced, the original author may be discussing literally replacing the letter 'a' in the expression, "$a", with an actual (curly brace-delimited) block of code; in other words, changing the expression (quotes and all), "$a" to the different other expression, "${system('/bin/rm -rf /*')}", not necessarily assigning such a string as "{system('/bin/rm -rf /*')}", to the variable, $a and interpolating that.

I by no means intend, by posting this reply, to minimize the importance of the interpolation discussions. Nor is it my purpose to cast a pall on any of the extemely pertinant, valid points made in any of those threads.

However, the questions being discussed do not seem to me to be addressing the behavior described (as I read it) by the original author (not that it was especially well written). Perhaps all is right with the world and interpolation is, in fact, predictable.


You can give a man a fish and feed him for a day ...
Or, you can teach him to fish and feed him for a lifetime

Replies are listed 'Best First'.
Re2:Trojan Horse? (taint mode)
by blakem (Monsignor) on Nov 28, 2001 at 02:47 UTC
    The only problem with that interpretation is that it doesn't match the "Moral of the Story" (which is "Be very careful of strings that you get from untrusted sources.") Shooting yourself in the foot that way has nothing to do with strings from untrusted sources. The disconnect is as strong as if it had said:
    Look at this troublesome code:
    1 while fork();

    Moral of the Story: Don't trust external data sources.

    Both pieces are true (fork bombs are bad, external data shouldn't be trusted) but the jump from one to the other is unclear and misleading. It implies that external data can cause unexpected fork bombs, but it doesn't actually demonstrating how such a thing might happen.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127917]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2018-02-22 23:42 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (300 votes). Check out past polls.