[14894] in bugtraq
Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla
daemon@ATHENA.MIT.EDU (Todd C. Miller)
Mon May 15 04:11:55 2000
Message-Id: <200005110640.e4B6e5G16557@xerxes.courtesan.com>
Date: Thu, 11 May 2000 00:40:05 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
X-To: Frank van Vliet <karin@ROOT66.NL.EU.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 11 May 2000 02:30:18."
<20000511003435.F29FD1FF1D@lists.securityfocus.com>
Would it not be simpler (and safer) to just call system() with
a list instead of a scalar and thus prevent perl from ever invoking
a shell?
Ie, instead of:
system("./processmail $id $::FORM{'who'}");
Use:
system("./processmail", $id, $::FORM{'who'});
- todd
