PEPPLER.ORG
Michael Peppler
Sybase Consulting
Menu
Home
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
Freeware
Sybperl
Sybase::Simple
DBD::Sybase
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
FAQs
Sybase on Linux FAQ
Sybperl FAQ
Personal
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: Michael Peppler <mpeppler at MBAY dot NET>
Subject: Re: Executing sql statements stored in a file
Date: Sep 17 1997 8:53PM

Rakesh Dinger wrote:
> 
> Michael Peppler wrote:
> > > ==>  Insecure dependency in system while running setuid at /dev/fd/3 line 281,
> > >       chunk 13.
> >
> > You should be able to fix that by using an absolute path to isql (ie
> > something like
> >
> > system ("/usr/local/sybase/bin/isql -Usa -S$SVR -P$PWD -i $PROCFILE");
> >
> 
> Paul S R Chisholm wrote:
> > > ==>  Insecure dependency in system while running setuid at /dev/fd/3 line 281,
> > >       chunk 13.
> 
> > Try setting PATH to a fixed value, e.g., '/usr/bin:/opt/sybase/bin",
> > instead of inheriting it from the environment? (If it works, please
> > tell the Sybperl list.)
> 
> I tried both approaches and found that it works only when all the values are
> hard-coded: whenever it encounters a variable, it complains. Hardcoding all
> the values is not pratical especially when $SVR and $PWD are variables.

The problem is with 'tainting' of variables (ie where the interpreter
does not *know* what might be in the variable for example if $PWD was 
really 'myPwd;rm -rf *' you'd get some very unexpected results...). 
The trick in that case is to 'untaint' the variables.

This can be done by doing something like:
	$PWD =~ /(\w+)/;
	$PWD = $1;

which would take the first set of consecutive 'word' characters and
assign it back to $PWD.

Michael
-- 
Michael Peppler       -||-  Data Migrations Inc.
mpeppler@datamig.com  -||-  http://www.mbay.net/~mpeppler