Not really. One favorite hacker's trick is to alter the PATH environment variable so that it points to the program he wants your script to execute rather than the program you're expecting. In addition to avoiding passing unchecked user variables to external programs, you should also invoke the programs using their full absolute pathnames rather than relying on the PATH environment variable. That is, instead of this fragment of C code:
system("ls -l /local/web/foo");
use this:
system("/bin/ls -l /local/web/foo");
If you must rely on the PATH, set it yourself at the beginning of your CGI script:
putenv("PATH=/bin:/usr/bin:/usr/local/bin");
In general it's not a good idea to put the current directory (".") into the path.
0 comments, (574 reads) All Articles by, GentleGiant