Re: PERL's -e check

[Matt Zimmerman <mdz () CSH RIT EDU>]

On Tue, Dec 26, 2000 at 04:20:51PM -0500, Joe Testa wrote:

>      Given the responses I received from people, I now realize that I
> should have been more clear.
>      I want to know if there is any way to pass shell metacharacters
> through the $temp_file variable in such a way that would pass the "-e"
> check but still make it to the open() call.  Of course, lets forget that my
> example uses "<", because this prevents "|" from working.
>      I already tried inserting nulls here and there, but without success.

The problem is that stat(), open() and exec() all use null-terminated strings.
So, while you can fool stat() into thinking that a file exists--for example,
one represented by the Perl string "/bin/sh\000||/tmp/do_evil|", or some
such--when Perl passes the string to open() or exec(), it will get the same
string that stat() gets.  So you can fool these functions, but in this case it
doesn't get you anywhere (that I can see), because you fool all of them.

--
 - mdz