[devel] JFYI: insecure environment variables

Alexey Tourbin =?iso-8859-1?q?at_=CE=C1_altlinux=2Eru?=
Вс Июн 12 21:59:06 MSD 2005


    static char* misc_env[] = {
	"IFS",		/* most shells' inter-field separators */
	"CDPATH",	/* ksh dain bramage #1 */
	"ENV",		/* ksh dain bramage #2 */
	"BASH_ENV",	/* bash dain bramage -- I guess it's contagious */

$ perl -Mdiagnostics -wT -le 'print `date`'
Insecure $ENV{PATH} while running with -T switch at -e line 1 (#1)
    (F) You can't use system(), exec(), or a piped open in a setuid or
    setgid script if any of $ENV{PATH}, $ENV{IFS}, $ENV{CDPATH},
    $ENV{ENV}, $ENV{BASH_ENV} or $ENV{TERM} are derived from data
    supplied (or potentially supplied) by the user.  The script must set
    the path to a known value, using trustworthy data.  See perlsec.

Uncaught exception from user code:
        Insecure $ENV{PATH} while running with -T switch at -e line 1.
 at -e line 1
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя     : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип     : application/pgp-signature
Размер  : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url     : <http://lists.altlinux.org/pipermail/devel/attachments/20050612/1c8ddfb8/attachment-0001.bin>

Подробная информация о списке рассылки Devel