[Catalyst] Re: How to redirect before some code excute

Thu Oct 26 20:39:35 GMT 2006

Ah, injection. Yes, you're completely right. My meaning in $cmd was to say, "whatever your command is"

Personally, I tend to only only interpret input, as apposed to using it directly. ie;
  $cmd_to_run = $allowed_commands{$input_cmd_menu_item}

...but now I'm OT. ;)

---
Rodney Broom

----- Original Message ----- 
From: "Jonathan Rockway" <jon at jrock.us>
To: "The elegant MVC web framework" <catalyst at lists.rawmode.org>
Sent: Thursday, October 26, 2006 13:01
Subject: Re: [Catalyst] Re: How to redirect before some code excute

> > How come?
> 
> I recommend reading "perldoc perlsec".  The one-argument form of
> C<system> invokes the system's shell to process the command (usually),
> leading to a number of possible security problems.  Basically you're
> entering into the fun game of trying to escape all possible bad inputs,
> which is pretty close to impossible.
> 
> You can do better if you use the list form:
> 
>     system('date', '+%s');
> 
> That will call execvp directly, meaning that quotes, slashes, etc.
> become meaningless.
> 
> There's still a subtle security problem, though.  If $ENV{PATH} happens
> to be some place that an attacker can write (maybe /tmp if file uploads
> are allowed), then a 'date' in there could be executable code or a shell
> script, or whatever.
> 
> Anyway, you *can* invoke the shell from your app, but you're playing
> with fire and should be aware of the risks.
> 
> -- 
> package JAPH;use Catalyst qw/-Debug/;($;=JAPH)->config(name => do {
> $,.=reverse qw[Jonathan tsu rehton lre rekca Rockway][$_].[split //,
> ";$;"]->[$_].q; ;for 1..4;$,=~s;^.;;;$,});$;->setup;
> 
> _______________________________________________
> List: Catalyst at lists.rawmode.org
> Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
> Searchable archive: http://www.mail-archive.com/[email protected]/
> Dev site: http://dev.catalyst.perl.org/
> 