That's OK. Injection attacks are equally plausible against non-web apps too. Indeed the very example to which Brother afoken drew your attention did not attack web apps, predating the web as it did. If you are writing scripts of any sort and not using taint mode you will reap what you sow.
I guess you're referring to the Morris worm? Hm...if I try to imagine an exploit using this functionality in my GUI app, I don't really think it would have much to do with shelling out or code injection. The purpose of this extension mechanism is to let the user execute their own arbitrary code. So I guess I could do a kind of Trojan horse attack, where I would put malicious code in the file containing my students' grades, then send the file to other people and try to get them to open the file. This seems a little implausible both because my user base is extremely small and because normally people aren't showing other people their students' grades, unless it's something like a TA showing them to the main instructor for a course.
But in principle you're right, and that's probably an argument for using either a small, non-Turing complete language or a language that can be sandboxed. It looks like I'm going to use Guile, and Guile does have a sandboxing method in versions 2.2.1+.
In reply to Re^5: Extending a perl program with Scheme, Lua, or JS
by bcrowell2
in thread Extending a perl program with Scheme, Lua, or JS
by bcrowell2
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |