Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: UGU file rename script (GOLF?)

by myocom (Deacon)
on Jul 20, 2001 at 00:08 UTC ( #98219=note: print w/ replies, xml ) Need Help??


in reply to UGU file rename script (GOLF?)

While you're golfing, you might want to add the tiniest bit of security, for heaven's sake. String eval is a potentially very bad thing.

rename '`rm -rf /`' foo


Comment on Re: UGU file rename script (GOLF?)
Download Code
Replies are listed 'Best First'.
Re: Re: UGU file rename script (GOLF?)
by chipmunk (Parson) on Jul 20, 2001 at 01:37 UTC
    `rm -rf /` in an eval would execute rm with the user's own permissions. If the user can run rename '`rm -rf /`' on the command line, they could just as easily run rm -rf / directly.

    In other words, as long as you don't do something foolish like make the rename script setuid or create a web interface to it, I would argue that this script has no inherent security issues.

      I understand that it would execute rm with the user's own permissions. And that may not be a problem for this particular application (though I would never deploy it on *my* network).

      I'm more concerned that this sort of code will get passed on to a different application (cargo-cult style), where security *does* matter. To my thinking, there should at least be a comment about security in there by the eval.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://98219]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (6)
As of 2015-07-29 05:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (260 votes), past polls