These scripts were never designed for public sites and because of that they make some dangerous assumptions about the trustworthiness of the user. Here is an example from chart I found:
my $network=(defined $param::net)?$param::net:$opts->{network};
$opts->{data_path}=eval "\"$opts->{data_path}\"";
$opts->{config_path}=eval "\"$opts->{config_path}\"" ;
And later:
my($fullfile)="$opts->{data_path}/$_";
I think this may hide the fact that $opts->{network} might be a part of data_path, so the eval might be updating data_path. This was obviously convenient at the time, but it's an easy route to exploring the filesystem.
It'll get cleaned up as I get time, but I wanted an open bug to let people know the code is currently insecure even by my usual standards :)
These scripts were never designed for public sites and because of that they make some dangerous assumptions about the trustworthiness of the user. Here is an example from chart I found:
And later:
I think this may hide the fact that $opts->{network} might be a part of data_path, so the eval might be updating data_path. This was obviously convenient at the time, but it's an easy route to exploring the filesystem.
It'll get cleaned up as I get time, but I wanted an open bug to let people know the code is currently insecure even by my usual standards :)