Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^2: Dangerous Characters for system calls

by graff (Chancellor)
on Apr 14, 2014 at 02:49 UTC ( [id://1082182]=note: print w/replies, xml ) Need Help??


in reply to Re: Dangerous Characters for system calls
in thread Dangerous Characters for system calls

Sorry if this reply is coming too late to be helpful. The situation you describe, of printing the text from the form directly into a pipeline of chained commands, could be relatively risk-free, provided that the commands behave reasonably well when presented with untrusted input on stdin.

That is, if "commanda" and "commandb" really are just (fairly robust) stdin-stdout filters - and if the strings to run those commands are fully defined in your code (i.e. do not contain untrusted strings from the web form), then you won't really be exposing any untrusted data as part of a command line.

Obviously, if "commanda" or "commandb" are not robust when given untrusted input (e.g. if they assume line-oriented input but don't know how to handle really long input lines, or they assume ASCII-only input and do unpredictable things with non-ASCII data), then your process is still facing risks, unless you filter the data appropriately before writing it to the pipe.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1082182]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (6)
As of 2024-03-29 02:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found