develooper Front page | perl.perl5.porters | Postings from March 2017

[perl #123638] Perl5 Windows Command Injection Vulnerability

Thread Next
bulk88 via RT
March 30, 2017 23:30
[perl #123638] Perl5 Windows Command Injection Vulnerability
Message ID:
On Mon, 20 Mar 2017 02:37:31 -0700, davem wrote:
> I've just moved this ticket to the public queue. The remaining issue
> to be
> discussed is for win32 system(): it will sometimes fallback to using
> the
> shell, even with individual arguments. It's been proposed that this
> behaviour
> should be deprecated:
> +=item system(LIST) fallback to shell deprecated
> +
> +(W deprecated) C<system(LIST)> on Win32 currently falls back to the
> +shell if the supplied program name cannot be found.
> +
> +The Win32 API to create a new process only accepts a single string
> for
> +the process arguments, so to emulate the behaviour on POSIX systems,
> +perl quotes the arguments in the same way as most software on Win32.
> +
> +Unfortunately the Win32 shell accepts arguments escaped in a
> different
> +way to most other Win32 software, which can be used by an attacker.
> Can anyone  see a reason not to do this?
> [NB: I am just the messenger; I have no opinion on this]

This code in miniperl uses shell execute to run a builtin on Win32.

bulk88 ~ bulk88 at

via perlbug:  queue: perl5 status: open

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About