Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Re: Dangerous diamonds!

by dws (Chancellor)
on May 18, 2003 at 15:57 UTC ( #258993=note: print w/ replies, xml ) Need Help??


in reply to Re: Dangerous diamonds!
in thread Dangerous diamonds!

BTW, who runs oneliners as root? (i'd consider that a bug)

It's not just one-liners, and it's not just root. Any script that doesn't untaint ARGV is vulnerable. Partly, that vulnerability is incidental, given that once someone has broken into an account it is a lot easier for them to do damage directly, rather than wasting time attacking some Perl script.

Very few Perl books talk about ARGV being a vulnerability. Or if they do, it's in passing in one part of the book, with examples in other parts ignoring the hazard.


Comment on Re: Re: Dangerous diamonds!
Re: Re: Re: Dangerous diamonds!
by Juerd (Abbot) on May 18, 2003 at 16:18 UTC

    Any script that doesn't untaint ARGV is vulnerable.

    Which is this thread's lesson :)

    But I still think magic ARGV should not use two-arg open.

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://258993]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (12)
As of 2015-07-04 16:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (60 votes), past polls