Mailing List Archive
tlug.jp Mailing List tlug archive tlug Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]Re: [tlug] Re: tlug] Security question with grep/e...
- Date: Tue, 23 Mar 2004 17:25:15 +0000
- From: Tim Hurman <kano-tlug@example.com>
- Subject: Re: [tlug] Re: tlug] Security question with grep/e...
- References: <200403230503.i2N53juu011858@example.com>
- User-agent: Mutt/1.5.6i
On Tue, Mar 23, 2004 at 04:03:45PM +1100, Jim Breen wrote: > "Stephen J. Turnbull" <stephen@example.com> wrote: > >> > >> >>>>> "Jim" == Jim Breen <Jim.Breen@example.com> writes: > >> > >> Jim> [...] the CGI program would do a system() call [...] > >> > >> Since you care about the host, don't do system() calls. There are too > >> many ways to break the call itself, and you then become hostage to any > >> security holes that may exist in the called programs as well. > > Can you be more specific about the risks? As I understand it, doing a > system("foobar par1 par2"); just stokes up /bin/sh under my account (it's > usually cgiwrap or equivalent) and runs foobar. No different from my running > foobar myself. I'm not doing it with anything suid, etc. I don't have su > rights on the host. > > >> What's wrong with using the native regexp facility of whatever you're > >> using to write the CGI? Even if it's in C or C++, the POSIX regcomp/ > >> regexec facility is not rocket science to use. That's what you'd be > >> using with grep, anyway, AFAIK. > > Two reasons: > > (a) laziness. It's easier to stoke up a system call than open the file and > do it line-by-line. Actually it's *MUCH* easier than regexec()'s > horrible call; > > (b) portability. I have actually found some of those libraries not > so smoothly implemented. Since I have mirrors on Solaris, AIX, FreeBSD > and almost all Linices, system("egrep ..."); seemed more likely to > work on them all. (iconv(), for example, has some problems on the AIX > system, probably because of code-table differences.) Would it not be easier just to do this in PERL anyway, here is my reasoning, 1) before doing the system(), you have to do a whole lot of messing to get the output of the egrep back (not to mention parsing it), this basically involves a fork(), but it is an expensive call and a lot of usage may affect the machine. 2) charsets. Even though you are passing stuff to egrep, I would presume you have to have it in a common charset, and the likelyhood is that you will get it in utf-8, which may or may not be a good thing depending on the charset you are comparing it to. Also you may have multiple encodings for a double quote. 3) egrep is going to involve a lot of file IO, are yor disks up to it? however a few ideas about putting it in PERL: 1) charsets are sorted, you just let PERL handle the conversion (from 5.6 onwards), no matter what the OS. PERL knows about broken iconvs and oddities on different platforms. 2) you can loose even the initial fork from apache(?) by using modperl. 3) you can easily put your entire sentance list into a hash/DBM which could be easier to search, and depending on the size, completely memory resident. 4) your security problems are simplified, die unless ($user_str =~ m/^[\w.]+$/); PERL's regexes also know about charsets, what characters belong to each class and multiple encodings for characters. 5) you lose the system() call and dont have to worry about egrep incompatabilities. 6) you get rid of SEGVs when mis-calculating the buffer size needed for a multibyte character strings and all the other C nasties. I am sure there are other arguments for both both sides, but I think it would actually be lazier jsut to do it in PERL. Tim.
- Follow-Ups:
- Re: [tlug] Re: tlug] Security question with grep/e...
- From: Josh Glover
- Re: [tlug] Re: tlug] Security question with grep/e...
- From: Stephen J. Turnbull
- References:
- [tlug] Re: tlug] Security question with grep/e...
- From: Jim Breen
Home | Main Index | Thread Index
- Prev by Date: Re: [tlug] Re: tlug] Security question with grep/e...
- Next by Date: Re: [tlug] Re: tlug] Security question with grep/e...
- Previous by thread: Re: [tlug] Re: tlug] Security question with grep/e...
- Next by thread: Re: [tlug] Re: tlug] Security question with grep/e...
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links