develooper Front page | perl.perl5.porters | Postings from May 2003

Re: [perl #22224] updated patches

Thread Previous
From:
Tels
Date:
May 26, 2003 12:14
Subject:
Re: [perl #22224] updated patches
Message ID:
perl.perl5.porters-76166@nntp.perl.org
-----BEGIN PGP SIGNED MESSAGE-----

Moin,

>-------- Original Message --------
>Subject:        Re: [perl #22224] patch perldiag.pod for POSIX functions, 
>diagnostics.t
>Date:   Thu, 22 May 2003 22:42:37 -0600
>From:   Jim Cromie <jcromie@divsol.com>
>To:     perl-qa@perl.org
>References:     <20030520133002.25016.qmail@web41812.mail.yahoo.com>

>+             system("perldoc $name| /usr/bin/less +/$f
>+             return 1;
>+           }
>+           if ($msg{$_} =~ m|See (\w+)/(\w+)|) {
>+             $name = $1; $sect = $2;
>+             print"err=$orig,name=$name,sect=$sect,pkg=$pkg,func=$func\n";
>+             system("perldoc $name| /usr/bin/less +/$sect");unc");

Does anybody else see potential ways to abuse this by having system
executing $name = ';rm * -fR'; "perldoc $name|..." someday in the future
(when the \w+ is relaxed by somebody else for instance,or modified by
another patch)?

Best wishes,

Tels



- -- 
 Signed on Mon May 26 21:11:37 2003 with http://bloodgate.com/tels.asc

 perl -MDev::Bollocks -le'print Dev::Bollocks->rand()'
 administratively embrace exceptional architectures

 http://www.notcpa.org/          You have the freedom to run any code. Yet.
 http://bloodgate.com/perl       My current Perl projects

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.

iQEVAwUBPtJm6XcLPEOTuEwVAQHKCgf/UEiAfzYnl7krQhIDq9lBkBGmd+Lqle/V
i2SEn8e0AcIrZMxeUjiUdXkD0YrqI48mxBOj3XfFirVD5KzvJ5SmrIzJNKNt7QVA
urIfHC+YiJGms0eX+4FwfTBbTiEMsBK49xKSaiNuW+v7DprM1mRhtBXoCZb3k7hH
ewmPA5mesY/RWVaFczSAuDfF9hu9NJWowyBMk7jV5Wa27v+CILiHoQqjbGEk65Pw
P9k4V9RGdBoB718ebB5KhNsGK+e+X3kGall62L8d0c49gB3HuUN/ziLq6XWPOJ/i
OnTUGr4xcdmrByjjYIW4KT05KqKVwJbChbXQbV2+Q3TGJ/GDaAkHrg==
=g0th
-----END PGP SIGNATURE-----

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About