Hide output from perl script system command
brad
brad at bradandkim.net
Wed Nov 12 16:46:18 CST 2003
OK, good to know. The perl script already does what I would consider
parsing the input, but I don't know enough about perl or regex's to know
for sure what it is doing. It has been in place for a while without
problem. This also runs on a pass protected site, so between the two I
think it will be fine <crosses fingers>.
Thanks for the help,
Brad
Brian wrote:
> Ummm, yeah! A cleverly crafted string could be created that would issue
> commands that you haven't designed to run, with whatever privileges
> as the process that accepts the input string. You will want to feed
> the input from the web form through a filter removing characters
> that could be interpreted by the shell, or alternately filter on only
> the allowed characters.
>
>
More information about the Kclug
mailing list