Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Dangerous Characters for system calls

by CountZero (Bishop)
on Oct 16, 2013 at 06:02 UTC ( [id://1058393]=note: print w/replies, xml ) Need Help??


in reply to Dangerous Characters for system calls

Run it in taint mode and only accept what is allowed and reject all other.

[a-zA-Z0-9] seems a safe set, but ultimately it will depend on what system commands you want to run.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

My blog: Imperial Deltronics

Replies are listed 'Best First'.
Re^2: Dangerous Characters for system calls
by Anonymous Monk on Oct 16, 2013 at 09:39 UTC
    Perl has a built-in function for [A-Za-z_0-9]: quotemeta()

      Perl has a built-in function for A-Za-z_0-9: quotemeta()

      Nearly there. Too bad, Anonymous Monk cannot fix his own typos. Correctly said and taken from perldoc -f quotemeta:

      quotemeta

      Returns the value of EXPR with all the ASCII non-"word" characters backslashed. (That is, all ASCII characters not matching "/[A-Za-z_0-9]/" will be preceded by a backslash in the returned string, regardless of any locale settings.) This is the internal function implementing the "\Q" escape in double-quoted strings. (See below for the behavior on non- ASCII code points.)

      ...

      Cheers, Sören

      Créateur des bugs mobiles - let loose once, run everywhere.
      (hooked on the Perl Programming language)

      Not at all! That will escape "dangerous" characters for Perl but does not at all guarantee that the resulting string is safe (or will even work at all) for anything else but Perl.

      CountZero

      A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

      My blog: Imperial Deltronics

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1058393]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2024-03-28 19:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found