Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re^3: Insecure dependency in piped open

by sgifford (Prior)
on Jun 29, 2008 at 19:37 UTC ( #694631=note: print w/replies, xml ) Need Help??

in reply to Re^2: Insecure dependency in piped open
in thread Insecure dependency in piped open

Actually those two are subtly different. One of them has a single string, and Perl will hand that string to the shell to parse. If $host contains any special shell characters, the shell will interpret them; for example if $host was set to:; rm /path/to/your/script
the shell will see something like:
/bin/nslookup -type=any; rm /path/to/your/script 2>&1 | +";
and will go ahead and try to remove your script, if it has permission. That is why Perl won't let you do it with taint mode on.

The multi-argument piped open doesn't send anything to the shell, and so avoids this problem.

There is also a difference in where standard error goes. In the first example it will be read from the pipe; in the second it will go to the original program's standard error, perhaps to a Web server error log.

Finally, for this particular purpose, there is probably a module available on CPAN (like Net::DNS) that will do the work without using an external program at all.

Good luck!

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://694631]
[LanX]: do you have a py job now?
[tye]: Right now I have errors trying to fetch stuff from graphite. It says 'apps not ready, check startup logs'. I eventually find the startup logs and see 'no apps found'. Looking for fixes to this problem...
[LanX]: no idea ... ask py monks! ;-p
[tye]: it turns out that this can be caused by almost anything going wrong. If you want to know what caused the problem, you have to try to load each app by-hand to see what problems it is having, because none of those will be logged.
[tye]: No, I write more Perl than py at work. But I have to deal with plenty of py things.
[tye]: py monks would just be offended.
[Corion]: ;)
[Corion]: Hi tye btw ;)
[Corion]: I found plenty of not chatty enough logs with Perl too ... I'm slowly coming to appreciate Log::Log4perl resp. our homegrown alternative

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (8)
As of 2017-09-21 20:13 GMT
Find Nodes?
    Voting Booth?
    During the recent solar eclipse, I:

    Results (252 votes). Check out past polls.