Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re: perlsec question

by belg4mit (Prior)
on Dec 14, 2001 at 04:52 UTC ( #131854=note: print w/replies, xml ) Need Help??

in reply to perlsec question

People have told you what they are, good. IMHO however you are much better off resetting %ENV. Kill it, %ENV = ();. This way you know for sure you aren't passing anything bad. Or at the very least, explicitly pass only things you know are safe or you have sanitized.
my @PATH = ($ENV{PATH} =~ m/clean/); %ENV = ( PATH => join(':', @PATH); );

perl -p -e "s/(?:\w);([st])/'\$1/mg"

Replies are listed 'Best First'.
Re: Re: perlsec question
by chip (Curate) on Dec 14, 2001 at 09:57 UTC
    I should think that clearing %ENV would eventually bite you in the butt when you start using the code in question to run programs that depend on the environment.

    Granted there are times when it's appropriate -- running children from a setuid program, for example -- but most of the time it's just too big a hammer.

        -- Chip Salzenberg, Free-Floating Agent of Chaos

      When all you have is a hammer everything looks like a nail :-D. Except of course having a swiss army chainsaw there is more than a hammer at our disposal. However, it surely cannot be too difficult to later clean and pass other environment variables as needed. Else one could say not clearing %ENV will eventually bite you in the butt because you have no idea what some clever author of an external program will rely upon and do with an environment variable ;-).

      perl -p -e "s/(?:\w);([st])/'\$1/mg"

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://131854]
and the leaves swirl about...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (6)
As of 2017-10-22 08:46 GMT
Find Nodes?
    Voting Booth?
    My fridge is mostly full of:

    Results (272 votes). Check out past polls.