No it doesn't, it executes rm -rf /Hopefully, you're not running as root, you're using taint | [reply]
[d/l] |
it doesn't on my machine. I tried it (with a different command just in case I was wrong.) It does not execute the command.
eval (I believe) is only going to evaluate the string given it. I am not giving it the string "$arg_2", I am giving it the string "s/$arg_1/$arg_2/".
perhaps if I were using the 'e' flag it would be a problem.
even if it did what you think it did, I would have to ask, why would I want to do that? That to me is like saying, "go to your terminal, and type rm -rf /".
| [reply]
[d/l] |
perhaps if I were using the 'e' flag it would be a problem.
You're using string eval, its a problem right now, just because I didn't provide working exploit on purpose
That to me is like saying, "go to your terminal, and type ...
Imagine some user telling you , hey, I can't get your program to work, here is what I tried, and then you enter what the user gives you, and you execute rm -rf
Imagine forgetting how your program works, and accidentally getting rm -rf to execute
You do absolutely nothing to ensure that can't happen.
The cheapest option is to use taint (-T).
If this is just a program for personal use, why wouldn't you simply use perl -E ... ?
| [reply] |