Skip to main content.
home | support | download

Back to List Archive

re: Unsafe SWISH calls from Perl

From: Javier Wilson <jwilson(at)not-real.ibw.com.ni>
Date: Tue Sep 12 2000 - 17:29:41 GMT
If you are using perl you can always regex to remove unwanted
characters to accept only letters:

$query =~ tr/A-Za-z //cd;

or to be a bit less strict (letters, numbers, wildercards, etc....
as in the CGI example in the swish-e web page:

$query =~ s/[^a-zA-Z0-9\-\_\*\.\@\(\)\=\" ]/ /g;


javier wilson

----- Original Message -----
From: "Chris Humphries" <ChrisJMH@vermilion99.freeserve.co.uk>
To: "Multiple recipients of list" <swish-e@sunsite.berkeley.edu>
Sent: Tuesday, September 12, 2000 6:30 AM
Subject: [SWISH-E] re: Unsafe SWISH calls from Perl


> Is the "unsafe" call to SWISH from Perl,
>
> open(SWISH, "$swish -w $query -m $results $search_tags -f $index|");
>
> unsafe on ANY platform?
>
> Are there any obvious ways of checking the values passed to remove
suspicious characters?
>
> Are there legitimate strings that one could search for that would be
interpreted as system commands?
>
> Are PCs susceptible to something like the shell-escape problem that UNIX
has?
>
> Chris Humphries
>
Received on Tue Sep 12 17:29:55 2000