Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

Re^3: Insecure dependency in piped open

by sgifford (Prior)
on Jun 29, 2008 at 19:37 UTC ( #694631=note: print w/replies, xml ) Need Help??

in reply to Re^2: Insecure dependency in piped open
in thread Insecure dependency in piped open

Actually those two are subtly different. One of them has a single string, and Perl will hand that string to the shell to parse. If $host contains any special shell characters, the shell will interpret them; for example if $host was set to:; rm /path/to/your/script
the shell will see something like:
/bin/nslookup -type=any; rm /path/to/your/script 2>&1 | +";
and will go ahead and try to remove your script, if it has permission. That is why Perl won't let you do it with taint mode on.

The multi-argument piped open doesn't send anything to the shell, and so avoids this problem.

There is also a difference in where standard error goes. In the first example it will be read from the pipe; in the second it will go to the original program's standard error, perhaps to a Web server error log.

Finally, for this particular purpose, there is probably a module available on CPAN (like Net::DNS) that will do the work without using an external program at all.

Good luck!

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://694631]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (3)
As of 2023-04-01 20:20 GMT
Find Nodes?
    Voting Booth?

    No recent polls found