in reply to Untainting system calls correctly

I'm curious. First, you identify that the single argument form of system() is a potential problem, but then you proceed on to use it. If you're going to use   system("/usr/sbin/useradd $cli"); then you need to prevent $cli from having as it's trailing substring something day-ruining like   "... ; /bin/rm -rf *" You don't have this problem with the multiple argument form, since you're bypassing the shell entirely. Here's a simple reworking: 
  my $username = ... untaint $formdata{'username'};
  ... etc. for other form variables

  my @cli = ("-s", $shell,
             "-d", $home,
             "-G", $group
             $usrname);
  ...
  system("/usr/sbin/useradd", @cli);

[download]

Edit: s/training/trailing/

Replies are listed 'Best First'.
Re: Re: untainting system calls correctly
by Fletch (Bishop) on Apr 10, 2002 at 16:43 UTC

    Not to meniton preventing someone from slipping in a username of `-u 0 I0wNj00'.

    Update: As a clarification, I mean that by using the multiple arugment form rather than letting the shell split you prevent the user from submitting extra arguments (in the example I gave they could specify that their new account would get a uid of 0).

[reply]
[d/l]
Re: Re: untainting system calls correctly
by c (Hermit) on Apr 10, 2002 at 17:24 UTC
    Sorry if I am just missing the nomenclature you're using, but what do you mean by "training substring"?

    thanks! -c

[reply]

In Section Seekers of Perl Wisdom