Menu
▾
▴
RE: [misterhouse-users] Updates to internet_im.pl
|
From: Timothy S. <spaulding@ICanBrew.com> - 2002-05-14 02:18:59
|
Is there a way we can allow commands based on the sender of the IM
command? Such as a file that lists users who are allowed to execute
commands.
-----Original Message-----
From: Bruce Winter [mailto:br...@mi...]=20
Sent: Monday, May 13, 2002 9:27 PM
To: misterhouse-users
Subject: Re: [misterhouse-users] Updates to internet_im.pl
> How sure are you about the security of process_external_command() ?=20
> I'd be extremely nervous about it... there are way too many ways to=20
> break out of perl once you give someone the ability to "eval".
I'm not too comfortable here either. Currently, internet_im.pl will run
the 'set $item $state' eval only if the message was from an authorized
sender, but I don't know enough about the im programs to know if address
names are spoofable. Anyone know?
Hows about we make that eval a bit safer by changeing this (in
mh/bin/mh):
elsif ($cmd =3D~ /^set +(\S+)/i and eval "ref $1") {
to this:
elsif ($cmd =3D~ /^set +(\S+) * [\'\" _a-z0-9]+ *$/i and eval "ref
$1") {
Can anyone think of an evil eval hack that where this would pass this
test
and do damage? It would only allow for one argument sets, but almost
all
set methods only take one arg.
Bruce
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We
supply the hardware. You get the recognition. Email Us:
ban...@so...
________________________________________________________
To unsubscribe from this list, go to:
http://sourceforge.net/mail/?group_id=3D1365
|