Re^3: The importance of avoiding the shell

by ikegami (Patriarch)

on Sep 29, 2014 at 06:54 UTC ( [id://1102321]=note: print w/replies, xml )

Need Help??

I'm pretty sure that is what he's saying, but he's wrong if that's the case.

$ HTTP_ACCEPT='() { :;}; echo 0wn3d' \
   perl -T -e'$ENV{PATH}=""; system(q(/bin/ls -- "$HOME"))'
0wn3d
... contents of home dir ...
[download]

While $ENV{HTTP_ACCEPT} is tainted, system doesn't check if it's tainted.

Comment on Re^3: The importance of avoiding the shell Select or Download Code

In Section Meditations

Domain Nodelet^?

Node Status^?

node history
Node Type: note [id://1102321]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others meditating upon the Monastery: (1)

As of 2024-04-16 21:36 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found