[815] in WWW Security List Archive
"Safe CGI" document
daemon@ATHENA.MIT.EDU (Lincoln D. Stein)
Fri Aug 4 13:16:48 1995
Date: Fri, 4 Aug 1995 09:53:20 -0500
To: www-managers@lists.stanford.edu, www-security@ns2.rutgers.edu
From: lstein@genome.wi.mit.edu (Lincoln D. Stein)
Errors-To: owner-www-security@ns2.rutgers.edu
I'd like to add another perl "pearl" to the CGI security document. There
is a little-documented feature in perl's system() and exec() function which
allows you to invoke external programs (sendmail for instance) without
going through a shell.
If you pass exec() and system() an array consisting of each of the command
line arguments, then perl bypasses the shell and calls the program
directly. Any shell metacharacters present in the arguments are passed to
the program uninterpreted.
The difference is subtle. This will invoke a shell. Metacharacters in
$suspectvariable will be interpreted:
system("foo -t $suspectvariable");
This will call the program foo directly, and metacharacters will be left alone:
system('foo','-t',$suspectvariable);
When doing a piped open, you can take advantage of this fact using this trick:
open(FOO,"|-") || exec('foo','-t',$suspectvariable);
This actually pipes the FOO filehandle to a copy of perl, which then
immediately does a direct exec() of 'foo'.
Regards,
Lincoln
========================================================================
Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center (617) 252-1916
Whitehead Institute for Biomedical Research (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
=================http://www-genome.wi.mit.edu/~lstein====================
