Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^2: Taint and Shellshock

by kennethk (Abbot)
on Sep 27, 2014 at 17:17 UTC ( [id://1102231]=note: print w/replies, xml ) Need Help??


in reply to Re: Taint and Shellshock
in thread Taint and Shellshock

Perhaps my choice of language was unclear - by 'wipe the whole %ENV hash' I meant localize the hash and set explicit values prior to shelling out. Perl is vulnerable to Shellshock because an environmental variable makes a side run and it's not in the set that Perl considers dangerous for an external call. In the perlsec docs, the only recommendations are regarding 5 specific variables which are the 5 that taint considers dangerous (please correct me if I'm mistaken). It seems like this issue might warrant increasing the scope of taint to consider any tainted value in %ENV dangerous to the shell (thus breaking billions of scripts worldwide....)

#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1102231]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (2)
As of 2024-04-25 20:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found