Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re^4: system call windows

by BrowserUk (Patriarch)
on Mar 08, 2019 at 14:18 UTC ( #1231054=note: print w/replies, xml ) Need Help??


in reply to Re^3: system call windows
in thread system call windows

Note that I am not advocating against the use of using the multi-argument system and related builtins on Windows,

I never do it, because of the reasons you cite.

And I never understood the predilection *nix people have for "avoiding the shell".

It seems to me that all of the justifictions I've read -- the bad guys can replace the shell with their program, or insert their program earlier in the search path and variations thereof -- could equally be done to the program you ask the shell to run on your behalf.

And if they can do either, your system is pretty much owned anyway.


With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority". The enemy of (IT) success is complexity.
In the absence of evidence, opinion is indistinguishable from prejudice. Suck that fhit

Replies are listed 'Best First'.
Re^5: system call windows
by haukex (Bishop) on Mar 10, 2019 at 19:51 UTC
    And I never understood the predilection *nix people have for "avoiding the shell". It seems to me that all of the justifictions I've read ... could equally be done to the program you ask the shell to run on your behalf.

    The major issue I see with it is interpolating user input into the shell command. If one uses fixed strings, or one makes sure that any variables interpolated into the command are always sanitized, then I have no problem with using the shell. The problem arises when people aren't aware of the potential security issues, do the escaping wrong, or when scripts start out with "safe" use of the shell but are later modified to accept different user input and the maintainer forgets to properly sanitize the inputs accordingly. Hence my usual advice to just avoid the shell in the first place, and only use it if one knows what one is doing.

      Hence my usual advice to just avoid the shell

      Hm. Sounds a little like advising people to wear condoms at all times rather than just when appropriate.


      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority". The enemy of (IT) success is complexity.
      In the absence of evidence, opinion is indistinguishable from prejudice. Suck that fhit
        Hence my usual advice to just avoid the shell [... and only use it if one knows what one is doing.]
        Sounds a little like advising people to wear condoms at all times rather than just when appropriate.

        That's a pretty good analogy for what I said: If one knows and trusts one's user, one doesn't need to "wear a condom" and can put their input into the shell unprotected (although it can still be useful to prevent accidents). But if one is going to be sleeping with the entire internet...

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1231054]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (1)
As of 2022-01-18 02:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (52 votes). Check out past polls.

    Notices?