[devel] JFYI: insecure environment variables
Alexey Tourbin
at на altlinux.ru
Вс Июн 12 21:59:06 MSD 2005
perl-5.8.7/taint.c:
static char* misc_env[] = {
"IFS", /* most shells' inter-field separators */
"CDPATH", /* ksh dain bramage #1 */
"ENV", /* ksh dain bramage #2 */
"BASH_ENV", /* bash dain bramage -- I guess it's contagious */
NULL
};
$ perl -Mdiagnostics -wT -le 'print `date`'
Insecure $ENV{PATH} while running with -T switch at -e line 1 (#1)
(F) You can't use system(), exec(), or a piped open in a setuid or
setgid script if any of $ENV{PATH}, $ENV{IFS}, $ENV{CDPATH},
$ENV{ENV}, $ENV{BASH_ENV} or $ENV{TERM} are derived from data
supplied (or potentially supplied) by the user. The script must set
the path to a known value, using trustworthy data. See perlsec.
Uncaught exception from user code:
Insecure $ENV{PATH} while running with -T switch at -e line 1.
at -e line 1
$
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : отсутствует
Тип : application/pgp-signature
Размер : 189 байтов
Описание: отсутствует
Url : http://lists.altlinux.org/pipermail/devel/attachments/20050612/1c8ddfb8/attachment.bin
Подробная информация о списке рассылки Devel