Re: Insecure dependency in system under -T, with list form invocationby pjf (Curate)
|on Sep 11, 2008 at 02:37 UTC||Need Help??|
As many people have pointed out already, one of your arguments to system is tainted. Unfortunately, Perl doesn't tell you which one. You could walk though your code to try and figure it out, but since we're programming in Perl, laziness is a virtue, and there are modules to check this for you automatically.
If you have a recent version of IPC::System::Simple then if called it tainted arguments it will tell you which ones are tainted. That means your code changes to:
IPC::System::Simple will also throw a detailed exception if your ssh command doesn't run, is killed by a signal, or returns a non-zero exit value (although you can change that if you wish, see the docs).
If you're using autodie and have IPC::System::Simple installed, then you can do the same thing with lexical scope (ie, just for that block):
IPC::System::Simple is pure Perl with no dependencies and works on 5.6.0 and above. autodie is pure Perl, has IPC::System::Simple as an optional dependency, and works on 5.8.0 or above.
Disclaimer: I wrote all the modules mentioned in this post, so I obviously think they're great. ;)
Perl Training Australia