Bugtraq mailing list archives
Re: Vulnerability in Majordomo
From: merlyn () STONEHENGE COM (Randal Schwartz)
Date: Tue, 26 Aug 1997 18:45:55 -0700
"Steve" == Steve Hill <steve_hill () VNET IBM COM> writes:
Steve> By far the safest way of doing any sort of validation is to Steve> provide a list of the safe characters, and not permit anything Steve> else. The perl to implement such a scheme is remarkably simple: Steve> $reply_addr =~ s/[^\w\.@-]//g; Steve> This will remove all characters which are not alphanumeric, a Steve> period, an at symbol or a hyphen. Of course, you may like to Steve> include a small piece of code which saves insecure strings in a Steve> file somewhere, along with the sender. No. The *very* safest way is "Don't let data anywhere near a shell!" The CGI FAQ tells how to do this stuff right. So does the Perl FAQ (which now ships *with* Perl as part of the distribution). So does the (new) Camel book. There's no excuse for letting data of any kind get anywhere near a shell line. Ugh. Especially with the ultra-flexible Perl constructs. -- Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095 Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying Email: <merlyn () stonehenge com> Snail: (Call) PGP-Key: (finger merlyn () ora com) Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A> Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Current thread:
- Vulnerability in Majordomo Razvan Dragomirescu (Aug 24)
- Re: Vulnerability in Majordomo Steve Hill (Aug 26)
- CERT Summary CS-97.05 Aleph One (Aug 26)
- FreeBSD Security Advisory: FreeBSD-SA-97:04.procfs Aleph One (Aug 26)
- Re: Vulnerability in Majordomo Oliver Xymoron (Aug 26)
- Re: Vulnerability in Majordomo Michael Warfield (Aug 26)
- <Possible follow-ups>
- Re: Vulnerability in Majordomo Randal Schwartz (Aug 26)