Re: Re: script-security / custom nagios-check

Yes, I thought while doing that one :-)
but I can't be as rigid as I wanted to with the regexp checking the command remotely executed, my main concern is if there's a weakness due to that.

As for -T | -t : I had a look on that and thought it wouldn't make a difference in this case, am I plain wrong with this assumption?

regards,
tomte

Comment on Re: Re: script-security / custom nagios-check

Replies are listed 'Best First'.
Re: Re: Re: script-security / custom nagios-check by Jaap (Curate) on Jan 30, 2003 at 12:01 UTC
-T helps you in security in that it marks any data coming from 'the outside' as tainted untill you explicitly untaint it with a regexp. `#!/bin/perl -wT use strict; my $taintedVar = $ARGV[0]; if ($taintedVar =~ m/^([0-9]+)$/) { my $UNtaintedVar = $1; }` [download] A not-so-smart programmer could use (.*) as a regexp and then the data $1 would be untainted but insecure.	[reply] [d/l]
Re*4: script-security / custom nagios-check by Tomte (Priest) on Jan 30, 2003 at 12:06 UTC
I read the perldoc that far ;-) and decided I don't need -T, as I'm checking all input with a regexp not as general as (.). I had used -T, but really found no difference, so I left it out, as there must be some impact on runtime. So unless taint-checks do check more than I know, I think I don't need it here. Edit:* Don't get me wrong. Please convince me that I need -t or anything else I might have missed. I'm doing a lot of stuff in perl, but I'm mostly paid to do java. regards, tomte	[reply]