Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: UGU file rename script (GOLF?)

by myocom (Deacon)
on Jul 20, 2001 at 00:08 UTC ( #98219=note: print w/ replies, xml ) Need Help??


in reply to UGU file rename script (GOLF?)

While you're golfing, you might want to add the tiniest bit of security, for heaven's sake. String eval is a potentially very bad thing.

rename '`rm -rf /`' foo


Comment on Re: UGU file rename script (GOLF?)
Download Code
Re: Re: UGU file rename script (GOLF?)
by chipmunk (Parson) on Jul 20, 2001 at 01:37 UTC
    `rm -rf /` in an eval would execute rm with the user's own permissions. If the user can run rename '`rm -rf /`' on the command line, they could just as easily run rm -rf / directly.

    In other words, as long as you don't do something foolish like make the rename script setuid or create a web interface to it, I would argue that this script has no inherent security issues.

      I understand that it would execute rm with the user's own permissions. And that may not be a problem for this particular application (though I would never deploy it on *my* network).

      I'm more concerned that this sort of code will get passed on to a different application (cargo-cult style), where security *does* matter. To my thinking, there should at least be a comment about security in there by the eval.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://98219]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (8)
As of 2014-10-31 10:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (216 votes), past polls