Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re^3: Insecure dependency in piped open

by sgifford (Prior)
on Jun 29, 2008 at 19:37 UTC ( #694631=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Insecure dependency in piped open
in thread Insecure dependency in piped open

Actually those two are subtly different. One of them has a single string, and Perl will hand that string to the shell to parse. If $host contains any special shell characters, the shell will interpret them; for example if $host was set to:

www.google.com; rm /path/to/your/script
the shell will see something like:
/bin/nslookup -type=any www.google.com; rm /path/to/your/script 2>&1 | +";
and will go ahead and try to remove your script, if it has permission. That is why Perl won't let you do it with taint mode on.

The multi-argument piped open doesn't send anything to the shell, and so avoids this problem.

There is also a difference in where standard error goes. In the first example it will be read from the pipe; in the second it will go to the original program's standard error, perhaps to a Web server error log.

Finally, for this particular purpose, there is probably a module available on CPAN (like Net::DNS) that will do the work without using an external program at all.

Good luck!


Comment on Re^3: Insecure dependency in piped open
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://694631]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (17)
As of 2014-07-11 15:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (230 votes), past polls