[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fopen is a forbidden command on mathcloud.se
|
From: |
Jake |
|
Subject: |
Re: fopen is a forbidden command on mathcloud.se |
|
Date: |
Tue, 3 Aug 2010 11:03:37 -0400 |
I think the original sender is thinking of system()
-Jake
On Tue, 3 Aug 2010 10:35:17 -0400
"John W. Eaton" <address@hidden> wrote:
> On 3-Aug-2010, CdeMills wrote:
>
> | fopen() is a gateway to a lot of dirty tricks, like
> |
> | filename="`cd / && rm -rf *`"
> | fopen(filename)
> |
> | Due to the backticks in the string passed to fopen, what's inside the
> | backtips is evaluated, producing some output to stdout, which is then read
> | as stdin from the octave side. But evaluating the given command will result
> | in unwanted side effects :-)
>
> In what language? Not Octave, or C/C++, or Fortran, or many others
> I'd guess.
>
> In Perl or sh, doesn't the execution of the operation in backticks occur
> when the character string is evaluated on the RHS of the assignment?
> So this problem has nothing to do with fopen, and everything to do
> with the way `` works to allow you to generate a character string with
> a shell command.
>
> | In many programming environments, using fopen from user-supplied data is
> | considered as a dangerous operation and avoided.
>
> Which environments?
>
> jwe
--
Jake <address@hidden>