Vulnerability Development mailing list archives
Re: PERL's -e check
From: Joe Testa <jst3290 () RITVAX ISC RIT EDU>
Date: Tue, 26 Dec 2000 16:20:51 -0500
At 07:11 PM 12/24/2000 -0500, you wrote:
Hi all -- I've noticed here and there that some PERL scripts pass user input directly into an open() call protected by a "-e" check. Example: # $temp_file is taken from the submitted form if(-e $temp_file) { open(TEMP, "<$temp_file"); ... } Is there any trick that would bypass the "-e"? Thanks in advance. - Joe Testa P.S. Greets to @stake and the cDc.
Given the responses I received from people, I now realize that I should have been more clear. I want to know if there is any way to pass shell metacharacters through the $temp_file variable in such a way that would pass the "-e" check but still make it to the open() call. Of course, lets forget that my example uses "<", because this prevents "|" from working. I already tried inserting nulls here and there, but without success. - Joe Testa P.S. I'd like to personally thank Joseph Nicholas Yarbrough <nyarbrough () lurhq com> for privately replying to my first post to insult my "P.S." greets. Thanks for your immaturity, Joe!
Current thread:
- PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Adam Prato (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 26)
- Re: PERL's -e check Joe Testa (Dec 26)
- Re: PERL's -e check Matt Zimmerman (Dec 28)
- Re: PERL's -e check Juergen P. Meier (Dec 26)
- Re: PERL's -e check Pavel Kankovsky (Dec 27)