Re: Remove or Identify Shell Commands In A Form

Your better strategy is to avoid exposure by never feeding user input to the shell. If you must give arguments to utilities, use the list form of system, magic open, or exec so that no shell interpretation of the command line is done.

You'd need an accurate combination html/shell parser to sanitize shell constructs from html fragments. Why bother, if the text never gets shell-interpreted? Your users might discuss shell programming without any ill intent.

After Compline,
Zaxo

Comment on Re: Remove or Identify Shell Commands In A Form

Replies are listed 'Best First'.
Re^2: Remove or Identify Shell Commands In A Form by rongoral (Beadle) on Nov 26, 2004 at 16:30 UTC
Thank you Zaxo, for the reply. However, my main concern is not to actually execute the commands, but to do so inadvertantly. For instance, if a field in the form collects an email address that is in turn used as a "reply to" and the form results are emailed to another, I do not want to open a window for the unkind people who may try to insert shell commands there to hack the site. The scope of the posted method is simply to gather the data from the form, do a limited validation of the data, and send it back to the calling script in the form of a hash_ref. The use of the form data is done within the calling script.	[reply]
Re^3: Remove or Identify Shell Commands In A Form by kappa (Chaplain) on Nov 26, 2004 at 18:58 UTC
If you follow Zaxo's advice you will achieve exactly that -- you'll save yourself from inadvertently running shell commands from malicious users. Just do not pass user input to shell. Or maybe we both cannot understand your question. --kap	[reply]