[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fopen is a forbidden command on mathcloud.se
|
From: |
John W. Eaton |
|
Subject: |
Re: fopen is a forbidden command on mathcloud.se |
|
Date: |
Tue, 3 Aug 2010 10:35:17 -0400 |
On 3-Aug-2010, CdeMills wrote:
| fopen() is a gateway to a lot of dirty tricks, like
|
| filename="`cd / && rm -rf *`"
| fopen(filename)
|
| Due to the backticks in the string passed to fopen, what's inside the
| backtips is evaluated, producing some output to stdout, which is then read
| as stdin from the octave side. But evaluating the given command will result
| in unwanted side effects :-)
In what language? Not Octave, or C/C++, or Fortran, or many others
I'd guess.
In Perl or sh, doesn't the execution of the operation in backticks occur
when the character string is evaluated on the RHS of the assignment?
So this problem has nothing to do with fopen, and everything to do
with the way `` works to allow you to generate a character string with
a shell command.
| In many programming environments, using fopen from user-supplied data is
| considered as a dangerous operation and avoided.
Which environments?
jwe