As many people have pointed out already, one of your arguments to system is tainted. Unfortunately, Perl doesn't tell you which one. You could walk though your code to try and figure it out, but since we're programming in Perl, laziness is a virtue, and there are modules to check this for you automatically.
If you have a recent version of IPC::System::Simple then if called it tainted arguments it will tell you which ones are tainted. That means your code changes to:
use IPC::System::Simple qw(system); system('/usr/bin/ssh', '-l', $owner, $host, $binct, @op, @lbtype);
IPC::System::Simple will also throw a detailed exception if your ssh command doesn't run, is killed by a signal, or returns a non-zero exit value (although you can change that if you wish, see the docs).
If you're using autodie and have IPC::System::Simple installed, then you can do the same thing with lexical scope (ie, just for that block):
{ use autodie qw(system); system('/usr/bin/ssh', '-l', $owner, $host, $binct, @op, @lbtype); }
IPC::System::Simple is pure Perl with no dependencies and works on 5.6.0 and above. autodie is pure Perl, has IPC::System::Simple as an optional dependency, and works on 5.8.0 or above.
Disclaimer: I wrote all the modules mentioned in this post, so I obviously think they're great. ;)
Best regards,
In reply to Re: Insecure dependency in system under -T, with list form invocation
by pjf
in thread Insecure dependency in system under -T, with list form invocation
by cramdorgi
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |