[5193] in bugtraq
Re: Vulnerability in Majordomo
daemon@ATHENA.MIT.EDU (Randal Schwartz)
Wed Aug 27 02:14:04 1997
Date: Tue, 26 Aug 1997 18:45:55 -0700
Reply-To: Randal Schwartz <merlyn@STONEHENGE.COM>
From: Randal Schwartz <merlyn@STONEHENGE.COM>
X-To: Steve Hill <steve_hill@VNET.IBM.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Steve Hill's message of "Tue, 26 Aug 1997 18:05:54 +0100"
>>>>> "Steve" == Steve Hill <steve_hill@VNET.IBM.COM> writes:
Steve> By far the safest way of doing any sort of validation is to
Steve> provide a list of the safe characters, and not permit anything
Steve> else. The perl to implement such a scheme is remarkably simple:
Steve> $reply_addr =~ s/[^\w\.@-]//g;
Steve> This will remove all characters which are not alphanumeric, a
Steve> period, an at symbol or a hyphen. Of course, you may like to
Steve> include a small piece of code which saves insecure strings in a
Steve> file somewhere, along with the sender.
No. The *very* safest way is "Don't let data anywhere near a shell!"
The CGI FAQ tells how to do this stuff right. So does the Perl FAQ
(which now ships *with* Perl as part of the distribution). So does
the (new) Camel book.
There's no excuse for letting data of any kind get anywhere near a
shell line. Ugh. Especially with the ultra-flexible Perl constructs.
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <merlyn@stonehenge.com> Snail: (Call) PGP-Key: (finger merlyn@ora.com)
Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A>
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
