Re: Path Traversal Vulnerability

Yes, the code isn't safe - see my node Calling External Commands More Safely.

In the first case, I recommend using File::Find or File::Find::Rule instead of shelling out to find. In the second case, since you're apparently piping things to the command and from the command, I would suggest IPC::Run3 (assuming the input and output are not too big, as the module usually works via temporary files) - but it would also be worth looking into whether uda_consolidate.pl could be designed as a module callable directly from your script.

Comment on Re: Path Traversal Vulnerability Select or Download Code

Replies are listed 'Best First'.
Re^2: Path Traversal Vulnerability by Rishi2Monk (Novice) on Dec 27, 2022 at 08:51 UTC
Thanks for your quick reply. Unfortunately, my current perl does not support either IPC::Run or IPC::Run3 and I could not install it as it needs access permissions. Can you please kindly let me know, if there is way to solve with open() or system()?	[reply]
Re^3: Path Traversal Vulnerability by Corion (Patriarch) on Dec 27, 2022 at 08:54 UTC
See Yes, even you can use CPAN , or alternatively copy the source code into your project.	[reply]
Re^3: Path Traversal Vulnerability by haukex (Archbishop) on Dec 27, 2022 at 09:00 UTC
In addition to what Corion said, I already answered that question. In the case of the `find`, File::Find is a core module. And in the case of the Perl script, you can modify it so that it is directly callable from your Perl script, or at the very least, you can modify it so that it supports input and output via files (if it doesn't already), that is very easy to do in Perl, then you can call it with a multi-argument system as I describe in the node I linked to.	[reply] [d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.