How do I prevent the system command in Perl from executing any shell commands?
views:
78answers:
3
+2
A:
Require them to be found in the path. Executables on the path are not shell commands.
Axeman
2010-10-11 21:05:18
That is, until someone inserts a shell script into one of the directories. Merely requiring it to be in the PATH is just a speedbump.
brian d foy
2010-10-12 01:57:16
@brian, well he didn't mention why he didn't want to run shell commands, so I had to back-fill there. One of the reasons I came up with is that shell commands might fail on a given platform because they only are valid within a shell.
Axeman
2010-10-12 13:24:15
+3
A:
If you don't want system to run shell commands, don't use system
because that's what it is there to do.
If you're talking about running only the commands that you want to run, there are various ways around that. I talk about some of them in Mastering Perl's security chapter. However, you'll have to clarify what problems you are trying to avoid.
brian d foy
2010-10-11 22:50:10
sorry what exactly i meant was that i need to allow some commands but not all of them
Jonathan
2010-10-12 00:29:41
+1
A:
You can mock system
by setting up an alias to CORE::GLOBAL::system
:
BEGIN {
*CORE::GLOBAL::system = \&mock_system;
}
sub mock_system {
my @cmd = @_;
if ("@cmd" eq "/bin/ls /tmp") {
return CORE::system(@cmd);
} else {
warn "You may only use 'system' to list the /tmp directory";
return 256;
}
}
This wouldn't protect you from somebody explicitly calling CORE::system
, though.
socket puppet
2010-10-12 00:53:33