[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

Colin Watson <cjwatson@debian.org> writes:

> Ah, I see.  I think it would have been clearer what you meant with a bit
> more context, so here it is for others:

>        If one can be sure that a particular program is a Perl script
>        expecting filenames in @ARGV, the clever programmer can write
>        something like this:

>            % program f1 "cmd1|" - f2 "cmd2|" f3 < tmpfile

>        and no matter which sort of shell it's called from, the Perl
>        program will read from the file f1, the process cmd1, standard
>        input (tmpfile in this case), the f2 file, the cmd2 command,
>        and finally the f3 file.  Pretty nifty, eh?

Note also that you can modify @ARGV in the program and then use <>, and I
know of Perl programs (I have even written Perl programs, back in the day)
that do this to introduce pipes and other constructs and then use <> to
loop through the results.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: