|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Glynn Clements (glynn.clements_at_virgin.net)
Date: Thu Jan 23 2003 - 17:00:40 CST
Sandeep Giri wrote:
> Thanks a lot to you and all who replied to my mesg.
> Taking chapter from replies,now I've changed my code to:
>
> #!/usr/bin/perl -T -W
> my $key_words;
> my $help;
> GetOptions('kw=s' => \$key_words,
> 'help' => \$help) || usage();
> my 
args = ($Keywords,....);
> my cmd = ("$JAVA",
> "-search.home=$SEARCH_HOME",
> "Searcher",
> args);
> system(cmd) == 0) ||error();
>
> Need I be more paranoid than this and use my own regex to filter out
> keywords my self?
By passing an array to system(), you ensure that the shell won't be
used.
There's still the issue of whether the target program can cope with
every possible combination of arguments which might be thrown at it.
That's really an issue for the target program itself rather than the
script which calls it. However, if you have any doubts about the
vulnerability of the target program, you might want to limit its
arguments to only those which make sense.
After all, there wouldn't be any need for mail servers to perform
virus scanning if Outlook etc weren't actually susceptible to viruses.
-- Glynn Clements <glynn.clements
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]