[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] Dangerous cgi-script



then it's good rm doesn't work on a macintosh

Todd

On Thu, 10 Jul 1997, Matthias Ulrich Neeracher wrote:

> claes@canit.se (Claes Bjorklund) writes:
> >Is this this cgi script dangerous? the idea with the script to let the
> >www-user do simple mathematics, but I am affraid they can do some thing
> >dangerous, is there any differnts with Unix or Mac?
> >
> >$math = $FORM{'calc'};
> >$res=eval "$math";
> >[...]
> 
> This script is very dangerous indeed. Think of what happens if some user
> decides that "unlink" is a mathematical operator! The solution for this is to
> eith use the Safe module (but I have never really tried that on MacPerl) or to
> do a sanity check on $math before evaluating it. (Forbidding more than 3
> successive alphabetic characters, for instance, allows sin and cos while
> forbidding most (all?) dangerous operators).
> 
> Matthias
> 
> -----
> Matthias Neeracher   <neeri@iis.ee.ethz.ch>   http://www.iis.ee.ethz.ch/~neeri
>    "I'm set free to find a new illusion" -- Velvet Underground
> 
> ***** Want to unsubscribe from this list?
> ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch
> 


***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch