Revisions to Security implications of running perl -ne '...' *

added 106 characters in body

Source Link

edited Nov 2, 2023 at 6:54

584.8k
96
1.1k
1.7k

But even then, it's still dangerous and that's down to the <> operator used bywhenever any of the -n/ (sed -n mode), -p (sed mode), -a / -F (awk mode) are used without -i (in-place).

But even then, it's still dangerous and that's down to the <> operator used by -n/-p.

But even then, it's still dangerous and that's down to the <> operator used whenever any of the -n (sed -n mode), -p (sed mode), -a / -F (awk mode) are used without -i (in-place).

added 57 characters in body

Source Link

edited Nov 25, 2017 at 10:47

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Using -T to turn on taint mode helps to some extent. It will abort the command if such malicious file is encountered (only for the > and | cases, not < or whitespace though).

Using -T to turn on taint mode helps to some extent. It will abort the command if such malicious file is encountered.

Using -T to turn on taint mode helps to some extent. It will abort the command if such malicious file is encountered (only for the > and | cases, not < or whitespace though).

added 57 characters in body

Source Link

edited Nov 25, 2017 at 10:40

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Also beware that some characters in some multi-byte character sets (like ǖ in BIG5-HKSCS) end in byte 0x7c, the encoding of |.

$ printf ǖ | iconv -t BIG5-HKSCS | od -tx1 -tc
0000000  88  7c
        210   |
0000002

So in locales using that charset,

 perl -pe '' ./nǖ

Would try to run the ./n\x88 command as perl would not try to interpret that file name in the user's locale!

Also beware that some characters in some multi-byte character sets (like ǖ in BIG5-HKSCS) end in byte 0x7c, the encoding of |.

$ printf ǖ | iconv -t BIG5-HKSCS | od -tx1 -tc
0000000  88  7c
        210   |
0000002

So in locales using that charset,

 perl -pe '' ./nǖ

Would try to run the ./n\x88 command as perl would not try to interpret that file name in the user's locale!

added 57 characters in body

Source Link

edited Nov 25, 2017 at 10:21

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 77 characters in body

Source Link

edited Aug 21, 2017 at 11:49

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

oops

Source Link

edited Aug 11, 2015 at 12:58

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 102 characters in body

Source Link

edited Jun 3, 2015 at 10:50

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 506 characters in body

Source Link

edited Jun 3, 2015 at 10:42

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

deleted 1 character in body

Source Link

edited Nov 26, 2014 at 10:35

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 1100 characters in body

Source Link

edited Nov 26, 2014 at 10:24

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 174 characters in body

Source Link

edited Nov 26, 2014 at 9:38

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

added 180 characters in body

Source Link

edited Nov 26, 2014 at 8:21

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

Source Link

answered Nov 26, 2014 at 8:15

Stéphane Chazelas

584.8k
96
1.1k
1.7k

Loading

Stack Exchange Network

Return to Answer