A monk was recently asking the Chatterbox population how to get their adduser command to work correctly, and provided a code snippet similar to this:
system("adduser $username -c $realname");
In an attempt to provide a blatantly obvious example of why that code should be considered a Bad Thing (tm), I foolishly answered:
$realname = "bob; rm -r /";
system("adduser $username -c $realname");
Luckily, the pandemonium that ensued turned out to be a joke at my expense. But the lessons learned are real:
- "Blatantly obvious" isn't, in the chatterbox. The person reading your chats or posts might not understand you're kidding.
- If you post code, there's always a chance, no matter how small, that someone will run it. As root. On a production server. At 5pm on a Friday afternoon before a long weekend, when you're manning the pager. So don't post coode that you don't want people to run, even if it's completely obvious that you don't want people to run it (see #1).
- Don't run code that you don't understand. This can be a bit tricky when obfuscation is involved.
- If you "have" to run code that you don't understand, at least don't run it as root.
Alan
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|