Re: Host IP address

The script could perform a DNS lookup on $ENV{DOCUMENT_ROOT}.

Always exercise caution in trusting $ENV variables though. Some are wholly unreliable much of the time, while others can be easily spoofed by a custom script trying to behave like a browser.

That means that you could be exposing yourself to a security issue by passing 'chdir' data directly from an environment variable. Put the -T switch in the shebang line of your script and watch the fireworks the next time you run it.

Dave

Comment on Re: Host IP address

Replies are listed 'Best First'.
Re: Host IP address by b10m (Vicar) on Dec 12, 2003 at 11:18 UTC
"Always exercise caution in trusting $ENV variables though. Some are wholly unreliable much of the time, while others can be easily spoofed by a custom script trying to behave like a browser." Correct me if I'm wrong, but a DOCUMENT_ROOT is quite hard to spoof client side, since it is a server side variable, unlike for example HTTP_USER_AGENT. In the latter case, the script relies on (l)user input, and thus it's easy to spoof. DOCUMENT_ROOT is specified by the http daemon, not the client. "That means that you could be exposing yourself to a security issue by passing 'chdir' data directly from an environment variable." In this specific case, I doubt you're exposing yourself to a security risk. -- b10m	[reply]

Replies are listed 'Best First'.

Re: Host IP address
by b10m (Vicar) on Dec 12, 2003 at 11:18 UTC

"Always exercise caution in trusting $ENV variables though. Some are wholly unreliable much of the time, while others can be easily spoofed by a custom script trying to behave like a browser."

"That means that you could be exposing yourself to a security issue by passing 'chdir' data directly from an environment variable."

--
b10m

[reply]