[Catalyst] Re: How to redirect before some code excute

Jonathan Rockway jon at jrock.us
Thu Oct 26 20:01:18 GMT 2006


> How come?

I recommend reading "perldoc perlsec".  The one-argument form of
C<system> invokes the system's shell to process the command (usually),
leading to a number of possible security problems.  Basically you're
entering into the fun game of trying to escape all possible bad inputs,
which is pretty close to impossible.

You can do better if you use the list form:

    system('date', '+%s');

That will call execvp directly, meaning that quotes, slashes, etc.
become meaningless.

There's still a subtle security problem, though.  If $ENV{PATH} happens
to be some place that an attacker can write (maybe /tmp if file uploads
are allowed), then a 'date' in there could be executable code or a shell
script, or whatever.

Anyway, you *can* invoke the shell from your app, but you're playing
with fire and should be aware of the risks.

-- 
package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;



More information about the Catalyst mailing list