Re^4: Not able to use native linux commands in a perl script

Copy is a copy...
I mean in File::Copy input parameters has verifying for entered data.
But if I use command system('cp '.$src.' '.$dst) and $dst can be changed by user, we have a big problem with executing any native linux commands.
I'm not test this example, but this or like this must work.
As example $dst='text.txt; cat /etc/passwd | mail ...'. If this script will be using with root privilege...

Comment on Re^4: Not able to use native linux commands in a perl script

Replies are listed 'Best First'.
Re^5: Not able to use native linux commands in a perl script by JavaFan (Canon) on Dec 14, 2010 at 21:38 UTC
Yeah, but if $dst can be changed by a user, `File::Copy($src, $dst);` [download] can wipe any file you care about. Note that prevention of executing arbitrary commands is trivial using system: `system '/bin/cp', $src, $dst;` [download] Not any more dangerous than File::Copy. As example $dst='text.txt; cat /etc/passwd \| mail ...'. If this script will be using with root privilege... Yawn. If the script is executed with root privileges, and `$dst = '/etc/passwd'`, `File::Copy("blah", $dst);` isn't exactly harmless. Oh, and if you're going to accept data from others, you ought to be using taint mode anyway. And properly detaint your input.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^5: Not able to use native linux commands in a perl script
by JavaFan (Canon) on Dec 14, 2010 at 21:38 UTC

File::Copy($src, $dst);
[download]

system '/bin/cp', $src, $dst;
[download]

As example $dst='text.txt; cat /etc/passwd | mail ...'. If this script will be using with root privilege...

$dst = '/etc/passwd'

File::Copy("blah", $dst);

Oh, and if you're going to accept data from others, you ought to be using taint mode anyway. And properly detaint your input.

[reply]
[d/l]
[select]