在使用-T开关运行时不安全$ ENV {ENV} [英] Insecure $ENV{ENV} while running with -T switch
问题描述
当我尝试
perlfaq5:how-do-I-count-the-line-in-a-file?我收到一条错误消息。
我应该怎么做才能使脚本工作?
#!/ usr / local / bin / perl -T
使用警告;
使用5.012;
$ ENV {PATH} = undef;
我的$ filename ='perl2.pl';
if($ filename =〜/^([0-9a-z_.]+)\z/){
my $ lines =`/ usr / bin / wc -l $ 1`;
打印$ lines;
}
输出:
<$使用-T开关在./perl1.pl行10运行时,不安全的$ ENV {ENV}。
第二版的答案
perldoc perlsec 手动描述污点模式(对于与Taint模式有关的模块,也有 perldoc Taint )。
部分说明:
$ path = $ ENV {'PATH'}; #$ path now tainted
$ ENV {'PATH'} ='/ bin:/ usr / bin';
删除@ENV {'IFS','CDPATH','ENV','BASH_ENV'};
$ path = $ ENV {'PATH'}; #$ path now not tainted
systemecho $ data; #现在安全!
$ ENV {PATH} = undef; 在你的代码中,我被警告关于CDPATH。所以,调整代码,我使用(perl2.pl再次):
#!/ usr / bin / env perl -T
使用警告;
使用5.012;
删除@ENV {'PATH','IFS','CDPATH','ENV','BASH_ENV'};
我的$ filename ='perl2.pl';
if($ filename =〜/^([0-9a-z_.]+)\z/)
{
my $ lines =`/ usr / bin / wc -l $ 1`;
打印$ lines;
}
这次是'13 perl2.pl'的答案。这比答案的第一版要严格得多。
第一版的答案
这个恶劣的解决方案'works':
#!/ usr / bin / env perl -T
使用警告;
使用5.012;
foreach我的$ env(键%ENV)
{
undef $ ENV {$ env};
}
我的$ filename ='perl2.pl';
if($ filename =〜/^([0-9a-z_.]+)\z/)
{
my $ lines =`/ usr / bin / wc -l $ 1`;
打印$ lines;
}
如果脚本被称为perl2.pl,则运行 perl -T perl2.pl 产生答案'16 perl2.pl'(如果您没有任何尾随的空白行)。
我称之为恶心,因为我已经取消了每个环境变量,零碎地。
When I try the last example from perlfaq5: How-do-I-count-the-number-of-lines-in-a-file? I get an error-message. What should I do to get the script working?
#!/usr/local/bin/perl -T
use warnings;
use 5.012;
$ENV{PATH} = undef;
my $filename = 'perl2.pl';
if( $filename =~ /^([0-9a-z_.]+)\z/ ) {
my $lines = `/usr/bin/wc -l $1`;
print $lines;
}
Output:
Insecure $ENV{ENV} while running with -T switch at ./perl1.pl line 10.
2nd Edition of Answer
The perldoc perlsec manual describes taint mode (there is also perldoc Taint for a module related to Taint mode).
In part, it illustrates:
$path = $ENV{'PATH'}; # $path now tainted
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
$path = $ENV{'PATH'}; # $path now NOT tainted
system "echo $data"; # Is secure now!
After the $ENV{PATH} = undef; in your code, I was warned about CDPATH. So, adapting that code, I used (perl2.pl again):
#!/usr/bin/env perl -T
use warnings;
use 5.012;
delete @ENV{'PATH', 'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
my $filename = 'perl2.pl';
if ($filename =~ /^([0-9a-z_.]+)\z/)
{
my $lines = `/usr/bin/wc -l $1`;
print $lines;
}
With the answer '13 perl2.pl' this time. This is far less draconian than the 1st Edition of the answer.
1st Edition of Answer
This draconian solution 'works':
#!/usr/bin/env perl -T
use warnings;
use 5.012;
foreach my $env (keys %ENV)
{
undef $ENV{$env};
}
my $filename = 'perl2.pl';
if ($filename =~ /^([0-9a-z_.]+)\z/)
{
my $lines = `/usr/bin/wc -l $1`;
print $lines;
}
If the script is called 'perl2.pl', then running perl -T perl2.pl yields the answer '16 perl2.pl' (if you don't have any trailing blank lines).
I call it 'draconian' because I've unset every environment variable, piecemeal.
这篇关于在使用-T开关运行时不安全$ ENV {ENV}的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
