Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: perlsec question

by belg4mit (Prior)
on Dec 14, 2001 at 04:52 UTC ( #131854=note: print w/ replies, xml ) Need Help??


in reply to perlsec question

People have told you what they are, good. IMHO however you are much better off resetting %ENV. Kill it, %ENV = ();. This way you know for sure you aren't passing anything bad. Or at the very least, explicitly pass only things you know are safe or you have sanitized.

my @PATH = ($ENV{PATH} =~ m/clean/); %ENV = ( PATH => join(':', @PATH); );

--
perl -p -e "s/(?:\w);([st])/'\$1/mg"


Comment on Re: perlsec question
Select or Download Code
Re: Re: perlsec question
by chip (Curate) on Dec 14, 2001 at 09:57 UTC
    I should think that clearing %ENV would eventually bite you in the butt when you start using the code in question to run programs that depend on the environment.

    Granted there are times when it's appropriate -- running children from a setuid program, for example -- but most of the time it's just too big a hammer.

        -- Chip Salzenberg, Free-Floating Agent of Chaos

      When all you have is a hammer everything looks like a nail :-D. Except of course having a swiss army chainsaw there is more than a hammer at our disposal. However, it surely cannot be too difficult to later clean and pass other environment variables as needed. Else one could say not clearing %ENV will eventually bite you in the butt because you have no idea what some clever author of an external program will rely upon and do with an environment variable ;-).

      --
      perl -p -e "s/(?:\w);([st])/'\$1/mg"

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://131854]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (7)
As of 2014-12-25 16:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (160 votes), past polls