Monks,
I was playing around with perl -s today, trying to come up with an obfu, and i realized that it allows you to modify read only variables Now I am hoping that perl scopes the vars off of the command line differently, localizes them somehow, but it still makes for some SURPRISING RESULTS. As an example, the below code, (perl 5.6.1 i386 Linux) when run with no command line options, prints "got password = hello", but when run with the command line switch "-1=foo", it prints "got password=foo"!!!! Doesn't this seem dangerous? Is this acceptable behavior? I would love some input on this:
Thanks a lot,
-malloc
"LISP programmers know the value of everything, and the cost of nothing"
UPDATE: I also just tested that i can remove the -s from the script, then just run it with "perl -s scrip.pl -1=foo" and the hackish behavior still works, so this seems to be a vulnerability whether you use -s or not?
#! /usr/bin/perl -ws use strict; my $test = "hello"; $test =~ m/(.*)/; print "got password = $1\n\n";
Thanks a lot,
-malloc
"LISP programmers know the value of everything, and the cost of nothing"
UPDATE: I also just tested that i can remove the -s from the script, then just run it with "perl -s scrip.pl -1=foo" and the hackish behavior still works, so this seems to be a vulnerability whether you use -s or not?
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: perl -s is evil?
by blakem (Monsignor) on Nov 15, 2001 at 05:52 UTC | |
by belg4mit (Prior) on Nov 15, 2001 at 21:28 UTC | |
Re: perl -s is evil?
by grinder (Bishop) on Nov 15, 2001 at 13:58 UTC | |
by blakem (Monsignor) on Nov 15, 2001 at 14:50 UTC | |
by buckaduck (Chaplain) on Nov 16, 2001 at 01:56 UTC | |
by jclovs (Sexton) on Nov 16, 2001 at 21:29 UTC | |
by blakem (Monsignor) on Nov 17, 2001 at 01:43 UTC | |
by malloc (Pilgrim) on Nov 15, 2001 at 21:30 UTC | |
Re: perl -s is evil?
by pileswasp (Monk) on Nov 22, 2001 at 00:10 UTC |
Back to
Meditations