[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why `system` is safer with lists
[Thread Prev] | [Thread Next]
- Subject: Re: Why `system` is safer with lists
- From: jrmu <jrmu@xxxxxxxxxx>
- Date: Wed, 10 Apr 2024 15:37:24 -0700
- To: mlists@xxxxxxxxx
- Cc: codeforce@xxxxxxxxxx
Thanks. Can you also submit for me a diff/patch for vpsnow? I'll go ahead and try to merge it once I get gotwebd back in working order. -- jrmu IRCNow (https://ircnow.org) On Wed, Apr 10, 2024 at 10:33:00PM +0000, mlists@xxxxxxxxx wrote: > See also: > `perldoc -tf system` > `perldoc -t perlsec` > > ``` > #!/usr/bin/env perl > > use strict; > use warnings; > > my $first_arg = shift or die "echo.pl needs an argument!\n"; > > # This is passed directly to `/bin/sh -c`, and leads to an easy command > # injection: > # ./echo.pl "I like cats, here is one now; cat /etc/passwd" > system "echo $first_arg"; > > # This is split up into words and passed directly to execvp, so not > # trivially exploitable. It'd require a vulnerability somewhere else. > system qw(echo), $first_arg; > ``` >
Attachment:
signature.asc
Description: PGP signature
| Re: Why `system` is safer with lists | mlists@xxxxxxxxx |
| Why `system` is safer with lists | mlists@xxxxxxxxx |