Tuesday, April 27, 2010

security awareness test

Ericsson Test

Tags: Ericsson, test, Security

Perl programming: system() cmd

Link ref:
String matching


You need to use a user's input as part of a command, but you don't want to allow the user to make the shell run other commands or look at other files. If you just blindly call the system function or backticks on a single string containing a command line, the shell might be used to run the command. This would be unsafe.

Unlike its single-argument version, the list form of the system function is safe from shell escapes. When the command's arguments involve user input from a form, never use this:

system("command $input @files"); # UNSAFE

Write it this way instead:

system("command", $input, @files); # safer