Re: Security issue and solution for terminal command accessed by public user

The simple solution is to only accept values that match numeric values and known units:

use Regexp::Common;

my %units = map ($_,1), qw[ miles kilometers pounds kilograms ... ];

my( $num, $from, $to ) = getUserInput();

die 'Bad number input' unless $num =~ /^\s*$RE{num}{real}\s*$];
die 'Bad units input'  unless exists $units{ lc $from } 
                        and    exists $units{ lc $to );

my $res = `units $num $from $to`;
[download]

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

Comment on Re: Security issue and solution for terminal command accessed by public user Download Code

Replies are listed 'Best First'.
Re^2: Security issue and solution for terminal command accessed by public user by Anonymous Monk on Jul 06, 2012 at 19:14 UTC
String::ShellQuote and/or IPC::System::Simple capturex	[reply]
Re^3: Security issue and solution for terminal command accessed by public user by BrowserUk (Patriarch) on Jul 06, 2012 at 19:20 UTC
Why? With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice. The start of some sanity?	[reply]
Re^4: Security issue and solution for terminal command accessed by public user by Anonymous Monk on Jul 06, 2012 at 19:55 UTC
Re^2: Security issue and solution for terminal command accessed by public user, obviously	[reply]
Re^5: Security issue and solution for terminal command accessed by public user by BrowserUk (Patriarch) on Jul 06, 2012 at 22:14 UTC
Re^6: Security issue and solution for terminal command accessed by public user by Anonymous Monk on Jul 07, 2012 at 04:39 UTC
Some notes below your chosen depth have not been shown here
Re^2: Security issue and solution for terminal command accessed by public user by keenlearner (Acolyte) on Jul 07, 2012 at 05:14 UTC
Hi Thanks, I have thought of this. But I was wondering if there's a lazy way to bypass this method, cause then I have to find all the supported units and list in the perl code, that's not a big problem but if in the future if I add a new unit in "units", then have to add in the code also.	[reply]
Re^3: Security issue and solution for terminal command accessed by public user by BrowserUk (Patriarch) on Jul 07, 2012 at 06:12 UTC
It is the safest way. If you trust the quoting modules to handle everything a malicious user might throw at it, buffer overflow attempts and all the other 'ploits the devious minds must expend hundreds of hours dreaming up, go for it. I'm not the paranoid type, but I see the ongoing arms race seemingly undampened by the millions of dollars and thousands of hours of expertise that large organisations like MS, Google, Apple et al. throw at similar problems. Am I going to trust the efforts of a lone CPAN author, given that the bad guys have only to download the module to look inside to search for weaknesses? When the alternative is safer and actually easier, why risk it. With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice. The start of some sanity?	[reply]