Monks,
I was playing around with perl -s today, trying to come up with an obfu, and i realized that it allows you to modify read only variables Now I am hoping that perl scopes the vars off of the command line differently, localizes them somehow, but it still makes for some SURPRISING RESULTS. As an example, the below code, (perl 5.6.1 i386 Linux) when run with no command line options, prints "got password = hello", but when run with the command line switch "-1=foo", it prints "got password=foo"!!!! Doesn't this seem dangerous? Is this acceptable behavior? I would love some input on this:
Thanks a lot,
-malloc
"LISP programmers know the value of everything, and the cost of nothing"
UPDATE: I also just tested that i can remove the -s from the script, then just run it with "perl -s scrip.pl -1=foo" and the hackish behavior still works, so this seems to be a vulnerability whether you use -s or not?
#! /usr/bin/perl -ws use strict; my $test = "hello"; $test =~ m/(.*)/; print "got password = $1\n\n";
Thanks a lot,
-malloc
"LISP programmers know the value of everything, and the cost of nothing"
UPDATE: I also just tested that i can remove the -s from the script, then just run it with "perl -s scrip.pl -1=foo" and the hackish behavior still works, so this seems to be a vulnerability whether you use -s or not?
Back to
Meditations