Date: 06 Sep 2001 22:58:36 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Mike Meyer <mwm@mired.org> Cc: Piet Delport <siberiyan@mweb.co.za>, Kris Kennaway <kris@obsecurity.org>, Giorgos Keramidas <charon@labs.gr>, freebsd-chat@FreeBSD.ORG Subject: Re: Scripts and setuid Message-ID: <xzpsne0dojn.fsf@flood.ping.uio.no> In-Reply-To: <15255.33577.367972.284194@guru.mired.org> References: <999708032.3b96558062cd2@webmail.neomedia.it> <20010905204055.A268@athalon> <20010905215258.A4304@hades.hell.gr> <20010906005600.A4157@athalon> <20010905161408.A80303@xor.obsecurity.org> <20010906131141.B4157@athalon> <15255.33577.367972.284194@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Meyer <mwm@mired.org> writes: > First, perl isn't an exception. It's a lot safer than shell scripting > because it can do real work without executing external code. It also > provides "taint checking" which prevents you from accidently executing > strings that came from the user. Taint checks also prevent you from opening or deleting files whose names were constructed from strings taken from the environment, command line, or user input, or read from a file. They also prevent you from calling exec() or system() with an insecure $PATH (for some definition of "insecure"). There are of course mechanisms to circumvent these checks for strings that the programmer is certain are safe (regexp match variables don't inherit taint from the string the regexp was matched against). One other advantage of Perl is that it isn't vulnerable to IFS tickling. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpsne0dojn.fsf>