Consider if someone enters this as the 'number': 1 foot' 'inches'; rm -rf /; echo '

You could sanitize the input by making sure the number is really a number -- only digits and decimal point, that kind of thing (though that's trickier than it sounds, if you want to allow commas/underscores in long numbers, scientific notation, etc.). You can make the user choose from a selection of unit types, and verify that they selected a valid one from a list (because it's trivial to circumvent browser restrictions on that kind of thing). It would also help to open a pipe to/from units (with no command-line arguments) and pass the values to it in interactive mode, where bad inputs shouldn't be as dangerous as they can be on the command line.

Or you can use one of the conversion modules suggested above. Of course, then you're counting on those modules to handle dangerous inputs properly, so you should probably still sanitize your data as much as possible.

Aaron B.
Available for small or large Perl jobs; see my home node.

In reply to Re: Security issue and solution for terminal command accessed by public user by aaron_baugher
in thread Security issue and solution for terminal command accessed by public user by keenlearner

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.