Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re^3: Insecure dependency in piped open

by sgifford (Prior)
on Jun 29, 2008 at 19:37 UTC ( #694631=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Insecure dependency in piped open
in thread Insecure dependency in piped open

Actually those two are subtly different. One of them has a single string, and Perl will hand that string to the shell to parse. If $host contains any special shell characters, the shell will interpret them; for example if $host was set to:

www.google.com; rm /path/to/your/script
the shell will see something like:
/bin/nslookup -type=any www.google.com; rm /path/to/your/script 2>&1 | +";
and will go ahead and try to remove your script, if it has permission. That is why Perl won't let you do it with taint mode on.

The multi-argument piped open doesn't send anything to the shell, and so avoids this problem.

There is also a difference in where standard error goes. In the first example it will be read from the pipe; in the second it will go to the original program's standard error, perhaps to a Web server error log.

Finally, for this particular purpose, there is probably a module available on CPAN (like Net::DNS) that will do the work without using an external program at all.

Good luck!


Comment on Re^3: Insecure dependency in piped open
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://694631]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (9)
As of 2015-07-31 00:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (273 votes), past polls