From: Timothy S. <spaulding@ICanBrew.com> - 2002-05-14 02:18:59
|
Is there a way we can allow commands based on the sender of the IM command? Such as a file that lists users who are allowed to execute commands. -----Original Message----- From: Bruce Winter [mailto:br...@mi...]=20 Sent: Monday, May 13, 2002 9:27 PM To: misterhouse-users Subject: Re: [misterhouse-users] Updates to internet_im.pl > How sure are you about the security of process_external_command() ?=20 > I'd be extremely nervous about it... there are way too many ways to=20 > break out of perl once you give someone the ability to "eval". I'm not too comfortable here either. Currently, internet_im.pl will run the 'set $item $state' eval only if the message was from an authorized sender, but I don't know enough about the im programs to know if address names are spoofable. Anyone know? Hows about we make that eval a bit safer by changeing this (in mh/bin/mh): elsif ($cmd =3D~ /^set +(\S+)/i and eval "ref $1") { to this: elsif ($cmd =3D~ /^set +(\S+) * [\'\" _a-z0-9]+ *$/i and eval "ref $1") { Can anyone think of an evil eval hack that where this would pass this test and do damage? It would only allow for one argument sets, but almost all set methods only take one arg. Bruce _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: ban...@so... ________________________________________________________ To unsubscribe from this list, go to: http://sourceforge.net/mail/?group_id=3D1365 |