[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why `system` is safer with lists
[Thread Prev] | [Thread Next]
- Subject: Re: Why `system` is safer with lists
- From: mlists@xxxxxxxxx
- Date: Wed, 10 Apr 2024 23:09:00 +0000
- To: "Gry Llida (Lecturify)" <support@xxxxxxxxxxxxx>, codeforce@xxxxxxxxxx
On 4/10/24 22:36, Gry Llida (Lecturify) wrote:
It looks cool. is there a system() without lists somewhere? Are you reporting a bug in existing software?Yes, sorry for the lack of context, I could have communicated this better. This was a simple proof of concept I wrote up to demonstrate a problem in vpsnow, as I was doing some code review. Originally I had posted the proof of concept to paste.ircnow.org, but jrmu wanted me to send it to the list as well.
I'll end up sending a diff to fix this problem sooner rather than later. Long story short, there was a miscommunication and I was under the impression that no diff was desired.
This vulnerability wouldn't be much of an issue in practice since install.pl in vpsnow is run only by trusted admins, who would already have shell access anyway. But there's no point in leaving a known bug in the software either.
It's probably a good idea to keep an eye out for this problem elsewhere, especially CGI scripts or anything public facing. It's not a Perl specific issue, but Perl does have a couple of gotchas that makes this an easy enough mistake for people to make.
| Re: Why `system` is safer with lists | Gry Llida (Lecturify) <support@xxxxxxxxxxxxx> |