Vulnerability Development mailing list archives
Re: PERL's -e check
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Thu, 28 Dec 2000 00:08:44 +0100
On Sun, 24 Dec 2000, Joe Testa wrote:
I've noticed here and there that some PERL scripts pass user input directly into an open() call protected by a "-e" check. Example:
What about a filename denoting some secret file (whose contents would be leaked if such a file was processed by the script)? Or some special directory entry (like a named pipe, /dev/fd/X etc...leading to a disruption of some service)? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Adam Prato (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 26)
- Re: PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 28)
- Re: PERL's -e check Juergen P. Meier (Dec 26)
- Re: PERL's -e check Pavel Kankovsky (Dec 27)