|
|
sybperl-l Archive
Up Prev Next
From: Michael Peppler <mpeppler at MBAY dot NET>
Subject: Re: Executing sql statements stored in a file
Date: Sep 17 1997 8:53PM
Rakesh Dinger wrote:
>
> Michael Peppler wrote:
> > > ==> Insecure dependency in system while running setuid at /dev/fd/3 line 281,
> > > chunk 13.
> >
> > You should be able to fix that by using an absolute path to isql (ie
> > something like
> >
> > system ("/usr/local/sybase/bin/isql -Usa -S$SVR -P$PWD -i $PROCFILE");
> >
>
> Paul S R Chisholm wrote:
> > > ==> Insecure dependency in system while running setuid at /dev/fd/3 line 281,
> > > chunk 13.
>
> > Try setting PATH to a fixed value, e.g., '/usr/bin:/opt/sybase/bin",
> > instead of inheriting it from the environment? (If it works, please
> > tell the Sybperl list.)
>
> I tried both approaches and found that it works only when all the values are
> hard-coded: whenever it encounters a variable, it complains. Hardcoding all
> the values is not pratical especially when $SVR and $PWD are variables.
The problem is with 'tainting' of variables (ie where the interpreter
does not *know* what might be in the variable for example if $PWD was
really 'myPwd;rm -rf *' you'd get some very unexpected results...).
The trick in that case is to 'untaint' the variables.
This can be done by doing something like:
$PWD =~ /(\w+)/;
$PWD = $1;
which would take the first set of consecutive 'word' characters and
assign it back to $PWD.
Michael
--
Michael Peppler -||- Data Migrations Inc.
mpeppler@datamig.com -||- http://www.mbay.net/~mpeppler
|
