Tuesday, April 27, 2010
Perl programming: system() cmd
String matching:
Problem:
You need to use a user's input as part of a command, but you don't want to allow the user to make the shell run other commands or look at other files. If you just blindly call the system function or backticks on a single string containing a command line, the shell might be used to run the command. This would be unsafe.
Solution:
Unlike its single-argument version, the list form of the system function is safe from shell escapes. When the command's arguments involve user input from a form, never use this:
system("command $input @files"); # UNSAFE
Write it this way instead:
system("command", $input, @files); # safer
Subscribe to:
Posts (Atom)
Labels
- _ASSERTE (1)
- _CRT_ASSERT (1)
- _CRT_ERROR (1)
- _CRT_WARN (1)
- _RPT0 (1)
- _RPT2 (1)
- _RPTF2 (1)
- -1073741515 (1)
- .vimrc (3)
- \160 (1)
- 00 (1)
- 0unzip (1)
- 10.4 (1)
- 1073741515 (1)
- 10minutemail (1)
- 28022013 (1)
- 5giay (1)
- ABI (1)
- absolute (1)
- Airlines (1)
- alias (2)
- Apple (3)
- Arch Linux (1)
- arduino (1)
- assignment (2)
- Australia (1)
- auto (1)
- Avoid (1)
- AvoidDirectlyAccessGlobals (1)
- AXE central processors (1)
- AXE system (1)
- bash (6)
- Bash script (3)
- bashrc (2)
- BIG_ENDIAN (1)
- bit-fields (1)
- blogspot (1)
- break down (1)
- buffer overflows (1)
- bug tracking (1)
- build (1)
- Built-in Shell Variables (1)
- C library (1)
- C programming (1)
- c shell (2)
- C++ (1)
- C++ Programming (1)
- C++Test (2)
- case (1)
- cast (1)
- cc (1)
- CDRWIN (1)
- CFLAGS (1)
- change management (1)
- check (1)
- check float values equality (1)
- checker (1)
- CHECKSUM (1)
- chrome (1)
- cl.exe (1)
- clearcase (1)
- Clearcase commands (1)
- cleartool (2)
- Clock (1)
- CloneCD (1)
- cloud (2)
- cmd (1)
- co.cc (1)
- CodePlex (1)
- Coding (1)
- Coding standard (1)
- Coding Standards (1)
- color (1)
- colour (1)
- Command Line (1)
- Command-Line (1)
- Command-Line editing (1)
- Command-Line editing mode (1)
- CommandLine (1)
- compilation (1)
- compile (1)
- compiler (2)
- compliance (1)
- compliance checker (1)
- constructor (1)
- Copy (2)
- cpp programming (1)
- CreateFile (2)
- creator (1)
- critical systems (2)
- cscope (3)
- csh (1)
- ctags (1)
- customer service (1)
- CXXFLAGS (1)
- dangerous functions (1)
- DCB sructure (1)
- Debian (1)
- debug (2)
- DEK Technologies (1)
- Delete (1)
- detected (1)
- Dev-cpp (1)
- developers (1)
- device (1)
- device driver (1)
- DeviceIoControl (1)
- diagram (1)
- diff (1)
- Directly (1)
- disposable (1)
- disposable e-mail addresses (1)
- divide and conquer. (1)
- dns (2)
- domainname (1)
- downgrade (1)
- drawback (1)
- dropbox (1)
- e-mail addresses (1)
- eclipse (1)
- Edit (1)
- End (1)
- environment (1)
- epsilon (1)
- Ericsson (4)
- ERLANG (2)
- errno (1)
- Error (2)
- error code (1)
- error result (1)
- example (1)
- Excel (1)
- exec (1)
- execute (1)
- execution time (1)
- exit code (1)
- explicit calculation of pointer (1)
- explorer (1)
- facebook (3)
- fansipan (1)
- fb (1)
- Fedora (1)
- fgets (1)
- Firefox (1)
- Firefox shortcuts (1)
- float (1)
- float equality (1)
- floating point (1)
- folding (1)
- forwarding (1)
- free (1)
- FreeCommander (1)
- from cl (1)
- function (1)
- Functions (3)
- FunctionsCallOrder (1)
- gitdiff (1)
- global data (1)
- gmail (1)
- GNU (5)
- google (1)
- GreatNews (1)
- Ground (1)
- Guerrilla Mail (1)
- Guidelines (1)
- Headquarters (1)
- help desk ticketing (1)
- high-level (1)
- holiday (1)
- Home (1)
- host (1)
- hostname (2)
- hosts (2)
- howto (1)
- iCloud (1)
- ide (1)
- illegal (1)
- implementation code (1)
- indexing (1)
- inet_pton (1)
- interface header (1)
- ioctl() (1)
- iPhone (1)
- iPhoneVietnam (1)
- java (1)
- jetstar (1)
- Job Ad (1)
- Karaoke (1)
- Korn shell (1)
- labelname (1)
- layers (1)
- Legibility (1)
- less confusing (1)
- linux (2)
- LITTLE_ENDIAN (1)
- login (1)
- lsocket (1)
- Lunar new yeat (1)
- Mac (1)
- Mac OS (1)
- Mac OS shortcuts (1)
- mailinator (1)
- maintainability (2)
- make (2)
- make clean (2)
- Makefile (2)
- Mandriva (1)
- Melbourne (1)
- memory (2)
- Microsoft (1)
- Mint (1)
- mintemail (1)
- misra (3)
- MISRA-C (1)
- MISRA-C 2004 (1)
- misra2004 (1)
- Mobifone (1)
- MobileMe (1)
- Modular (1)
- Modular programming (1)
- modules (1)
- more readable (1)
- Multi-Targeting (1)
- nbtscan (1)
- nbtstat (1)
- nested (1)
- network (1)
- network operations (1)
- nm. objdump (1)
- NoMachine (1)
- notepad++ (1)
- OFFLOAD (1)
- open() (1)
- OpenNx (1)
- OpenSSH (1)
- OpenStack (1)
- openSUSE (2)
- Orcas (1)
- outlook (1)
- outlook 2007 (1)
- parasoft (7)
- parts (1)
- password (1)
- Paste (1)
- patterns (1)
- PCLinuxOS (1)
- PCmover (1)
- perl (2)
- pkgmgr (1)
- PLEX (2)
- PLEX-C (1)
- pointer (2)
- pointer alignment (1)
- Pointer arithmetic (1)
- pop (1)
- Precompile (1)
- print16() (1)
- print32() (1)
- printHex() (1)
- programming (4)
- Programming Language for EXchanges (1)
- prompt (1)
- protocol (1)
- Puppy Linux (1)
- push (1)
- putty (2)
- re-use (1)
- read() (1)
- readelf (1)
- ReadFile (1)
- real-time (1)
- regsvr32 (1)
- request tracker (1)
- Reset Windows password (1)
- risky (1)
- rule (1)
- Sabayon Gentoo Live CD (1)
- safe (1)
- safety code (1)
- SBG HW environment (1)
- Screen (1)
- script (2)
- secure (1)
- Security (1)
- Send To (1)
- Send To menu (1)
- SendTo (1)
- serial number (1)
- serial port (1)
- Serial programming (2)
- services (1)
- sethc.exe (1)
- setup (1)
- setview (2)
- shared mem (1)
- shell (3)
- shell:sendto (1)
- side effects (1)
- site feed (1)
- skew (1)
- Slackware (1)
- snprintf (1)
- socket (1)
- source (1)
- ssh (2)
- status (1)
- strace (1)
- stray (1)
- string (2)
- strncat (1)
- strncpy (1)
- struct (1)
- SunOS (1)
- SWAP16/32 (1)
- switch (1)
- symbol (2)
- system (1)
- system() cmd (1)
- Tab (1)
- taglist (1)
- TC shell (1)
- TCP (1)
- tcpdump (1)
- technique (1)
- Telnet Client (1)
- tenmien (1)
- test (1)
- Testing (1)
- Tet (1)
- Thread safe (1)
- Thread safe programming (1)
- thread safety (1)
- Thunderbird (2)
- Tiger (1)
- tip (1)
- Tips (1)
- trick (1)
- tutorial (1)
- typedef (1)
- Ubuntu (1)
- UCdetector (1)
- uninitialized (1)
- union (1)
- unix (3)
- Unix access (1)
- unsafe (2)
- unsafe string (1)
- unzip (1)
- update (1)
- upgrade (1)
- useful tools (2)
- Variable Substitution (1)
- variables (1)
- vav (3)
- vav.vn (2)
- version (1)
- vi (2)
- Vietnam airlines (1)
- Viettel (1)
- vim (4)
- vimdiff (1)
- viminfo (1)
- Vinaphone (1)
- Violation (2)
- Vista (2)
- visual studio (1)
- vnnic (1)
- void (1)
- vs2005 (1)
- vs2008 (1)
- vspc (1)
- warranty (1)
- web (1)
- website (2)
- website test (1)
- Win8 (1)
- Windows (2)
- Windows 8.1 (1)
- winsxs (1)
- winsxslite (1)
- WinXP (1)
- workflow processes (1)
- write() (1)
- WriteFile (1)
- X (1)
- x11 (1)
- x64 (1)
- Xming (1)
- youth counselling (1)
- youtube (1)
- zebrazone (1)
- zebrazoo (1)
- zim (1)
