home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!enterpoop.mit.edu!senator-bedfellow.mit.edu!athena.mit.edu!ckclark
- From: ckclark@athena.mit.edu (Calvin Clark)
- Newsgroups: comp.lang.perl
- Subject: Re: "Secure" way to find out hostname
- Date: 6 Jan 1993 17:22:54 GMT
- Organization: Massachusetts Institute of Technology
- Lines: 37
- Message-ID: <CKCLARK.93Jan6122253@w20-575-84.mit.edu>
- References: <1id258INN8j6@nntp1.radiomail.net> <1993Jan6.140149.11253@Lehigh.EDU>
- Reply-To: ckclark@mit.edu
- NNTP-Posting-Host: w20-575-84.mit.edu
- In-reply-to: lusol@Lehigh.EDU's message of 6 Jan 93 14:01:49 GMT
-
- In article <1993Jan6.140149.11253@Lehigh.EDU> lusol@Lehigh.EDU (Stephen O. Lidie) writes:
-
-
- $euid = $>; # user
- $> = $<;
- ..
- chop($hostname = `/bin/hostname`);
- ..
- $> = $euid; # back to root or whatever
-
-
- OK you Perl heavies, let's hear the full 'how to untaint' story....
-
- A full enough story is in the perl man page. The likely problem here is
- that taintperl does not trust $PATH inherited from the environment, and
- if you try to set $ENV{'PATH'}, it cannot reference any variable
- previously marked as tainted. So this is okay:
-
- $ENV{'PATH'} = "/bin:/usr/bin";
- chop($hostname = `/bin/hostname`);
-
- but this bad:
-
- $oldpath = $ENV{'PATH'};
- $ENV{'PATH'} = "/bin:/usr/bin:$oldpath";
- chop($hostname = `/bin/hostname`);
-
- Simply specifing /bin/hostname is not good enough for taintperl, since
- it doesn't know that /bin/hostname won't execvp() or system() or
- popen() some random command using the user-specified path.
-
- A fairly complete explanation of what you have to do to your scripts is
- given in the Camel Book.
-
- -Calvin
- --
- Calvin Clark <ckclark@mit.edu>
-
