[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script

To: mac-perl@iis.ee.ethz.ch
Subject: Re: [MacPerl] Dangerous cgi-script
From: Nicolas Le Clerc <nleclerc@pobox.com>
Date: Thu, 10 Jul 1997 13:21:24 -0400
In-Reply-To: <199707101443.QAA04460@solar.ethz.ch>
Organization: GWU - Master of science in finance
References: Your message of Thu, 10 Jul 1997 16:23:05 +0200.

At 10:43 AM -0400 7/10/97, Matthias Ulrich Neeracher wrote:

> This script is very dangerous indeed. Think of what happens if some
>user
> decides that "unlink" is a mathematical operator! The solution for
>this is to
> eith use the Safe module (but I have never really tried that on
>MacPerl) or to
> do a sanity check on $math before evaluating it. (Forbidding more
>than 3
> successive alphabetic characters, for instance, allows sin and cos
>while
> forbidding most (all?) dangerous operators).

On a Unix machine, with no more than three successive alphabetic
characters you can still do:

	`rm -rf /`;

Even if your script is not running as root, this won't do much good to
your machine.

Nicolas

--
Nicolas LE CLERC
<mailto:nleclerc@pobox.com>
<finger:nleclerc@pobox.com>

***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Follow-Ups:
- Re: [MacPerl] Dangerous cgi-script
  - From: "Paul J. Schinder" <schinder@pjstoaster.pg.md.us>

References:
- Re: [MacPerl] Dangerous cgi-script
  - From: Matthias Ulrich Neeracher <neeri@iis.ee.ethz.ch>

Prev by Date: Re: [MacPerl] Public key risks
Next by Date: Re: [MacPerl] Dangerous cgi-script
Prev by thread: Re: [MacPerl] Dangerous cgi-script
Next by thread: Re: [MacPerl] Dangerous cgi-script
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net