Secure Scripting Howto

From Konversation

Jump to: navigation, search

How to use exec/system calls securely in Perl

Experience showed that interpreting user data in Perl needs some special attention ( http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html )

For Konversation we are interested in how exec and system calls should be used. So you should write like this :

exec $variable1,$variable2,....;

instead of :

exec("$variable $variable2");

In the former shell commands in variables are auto escaped where as in the latter form shell variables are not escaped.

How to use backticks securely in Perl

This can be done like this ( Taken from media script ) : 

# Emulated backticks using secure exec call
   die "Can't fork: $!" unless defined($pid = open(KID, "-|"));
   if ($pid) # parent
   {
   $encoding = <KID>;
   chomp $encoding;
   close KID;
   }
   else {
   exec 'dcop', 'konversation', 'irc', 'getChannelEncoding', $server, $target; 
   }
Retrieved from "http://konversation.kde.org/wiki/Secure_Scripting_Howto"
Personal tools