use -T as well as strict and warnings. don't use the PATH environment, unless you've cleaned it. when you execute a system call, use the full path to the executable, and pass an array, so the shell is bypassed. these and many other good practices can be learned by reading the perlsec documentation. i highly recommend reading Ovid's "Web Programming Using Perl" Course as well. it's helped me tremendously.
here's some code...
#!/usr/bin/perl -wT use strict; use CGI; # clean your environment BEGIN { $ENV{PATH} = '/usr/bin:/usr/local/bin'; } my $useradd = '/full/path/to/useradd'; my( $site_count, $username ); # and so on... # get input, which will be tainted... # my $username = $CGI->param('username'); # untaint input # for instance, username is 1 to 12 word characters if( $username =~ /^(\w{1,12})$/ ) { $username = $1 } # and so on... # now call system, with list of arguments to bypass shell system( $useradd, qq|-c "fullname"|, qq|-d /home/sites/site$site_count/users/$username|, qq|-g site$site_count|, qq|and so on...|, ) and error( "oh, i didn't expect that! $!" );
~Particle *accelerates*
In reply to Re^3: Using doublequotes in a system call
by particle
in thread Using doublequotes in a system call
by rguyer
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |