[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SpeechIO-195] speechd v0.54 - morse code support

On Mon, 15 Nov 1999, Kyle Burton wrote:

> It's not safe :)  You have to seperate the arguments into an array 
> when you pass them to system().  I assume the single quotes you have
> used are to account for the possibility of spaces being in $text -- if
> you use the array syntax for system(), the quotes aren't necessary -- 
> actually, the fact taht you used the quotes shows that you were trying
> to protect the spaces from the shell :)  Instead, do something like this:
> system($cmd,$text);
> This passes $text directly into the argv of $cmd, and no shell is ever
> invoked (so it's more efficient too).  To be really safe, you should 
> make sure $cmd is fully pathed, i.e. '/usr/bin/morse' instead of just 
> 'morse'.  Using the array syntax is actualy more efficient too, as
> there is no intermediate shell invoked to parse the arguments.

Cool, that's why I asked.

> Now that I've looked at the code, I kind of relize that we should
> add -T to the command line (which could be a little bit of work
> to make the code taint safe).  The code should be converted to use
> an array (@cmd) instead of a scalar ($cmd) to be safe when performing
> exec()s, pipe open()s, and system() calls.

I've wanted taint checking in there since I'd heard about it, but I
completely forgot about it.

PGP fingerprint = 03 5B 9B A0 16 33 91 2F  A5 77 BC EE 43 71 98 D4
            darxus@op.net / http://www.op.net/~darxus
             Find the next largest prime, be famous: