[VPM] alternative to perl's Open?
Malcolm Dew-Jones
yf110 at victoria.tc.ca
Tue Sep 7 11:36:25 CDT 2004
On Tue, 7 Sep 2004, Carl B. Constantine wrote:
> A recent hack here at UVic caused no end of grief for system staff. We
> managed to shut the cracker down, but not before quite a bit of damage
> was done to 75 web pages.
>
> The exploit took advantage of a perl CGI script that used the Open
> command.
1. perl -T (taint mode) should always be used for cgi scripts
2. from perdoc -f open
Use 3-argument form to open a file with arbitrary weird characters
in it,
open(FOO, '<', $file);
3. sysopen
4. When validating file names (for taint mode) it is probably better
to determine what is allowed and check the name is 100% valid, because
it is usually easier to know ahead of time what is good than what might
be bad. Then, if paraniod, also check for illegal things in the name.
More information about the Victoria-pm
mailing list