[Date Prev][Date Next][Thread Prev][Thread Next]
[Search]
[Date Index]
[Thread Index]
Re: [MacPerl] Dangerous cgi-script
then it's good rm doesn't work on a macintosh
Todd
On Thu, 10 Jul 1997, Matthias Ulrich Neeracher wrote:
> claes@canit.se (Claes Bjorklund) writes:
> >Is this this cgi script dangerous? the idea with the script to let the
> >www-user do simple mathematics, but I am affraid they can do some thing
> >dangerous, is there any differnts with Unix or Mac?
> >
> >$math = $FORM{'calc'};
> >$res=eval "$math";
> >[...]
>
> This script is very dangerous indeed. Think of what happens if some user
> decides that "unlink" is a mathematical operator! The solution for this is to
> eith use the Safe module (but I have never really tried that on MacPerl) or to
> do a sanity check on $math before evaluating it. (Forbidding more than 3
> successive alphabetic characters, for instance, allows sin and cos while
> forbidding most (all?) dangerous operators).
>
> Matthias
>
> -----
> Matthias Neeracher <neeri@iis.ee.ethz.ch> http://www.iis.ee.ethz.ch/~neeri
> "I'm set free to find a new illusion" -- Velvet Underground
>
> ***** Want to unsubscribe from this list?
> ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch
>
***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch