[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script



At 10:43 AM -0400 7/10/97, Matthias Ulrich Neeracher wrote:

> This script is very dangerous indeed. Think of what happens if some
>user
> decides that "unlink" is a mathematical operator! The solution for
>this is to
> eith use the Safe module (but I have never really tried that on
>MacPerl) or to
> do a sanity check on $math before evaluating it. (Forbidding more
>than 3
> successive alphabetic characters, for instance, allows sin and cos
>while
> forbidding most (all?) dangerous operators).

On a Unix machine, with no more than three successive alphabetic
characters you can still do:

	`rm -rf /`;

Even if your script is not running as root, this won't do much good to
your machine.

Nicolas

--
Nicolas LE CLERC
<mailto:nleclerc@pobox.com>
<finger:nleclerc@pobox.com>



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch