Re: Simple XML Dumper

Replies are listed 'Best First'.
Re^2: Simple XML Dumper by mscharrer (Hermit) on Sep 30, 2008 at 14:54 UTC
I was aware about the issue with `eval "@ARGV"` but keep in mind that it's a local tool and only runs with the permissions of the calling user - which is allowed to execute any perl code anyway. It's not a CGI or `suid` script and not written for production environments etc.	[reply] [d/l] [select]
Re^2: Simple XML Dumper by moritz (Cardinal) on Sep 30, 2008 at 12:44 UTC
Not generally. If it's documented, it's not so bad, because whoever wants to exploit it could have run `perl -e` instead.	[reply] [d/l]
Re^3: Simple XML Dumper by jdporter (Paladin) on Sep 30, 2008 at 14:26 UTC
If the script is `setuid`, it's considerably worse than `perl -e`.	[reply]
Re^4: Simple XML Dumper by moritz (Cardinal) on Sep 30, 2008 at 14:32 UTC
If the script is setuid, taint checking is enabled by default, and I don't think that evaling tainted strings is allowed.	[reply]