Skip to main content.
home | support | download

Back to List Archive

re: Unsafe SWISH calls from Perl

From: Javier Wilson <jwilson(at)>
Date: Tue Sep 12 2000 - 17:29:41 GMT
If you are using perl you can always regex to remove unwanted
characters to accept only letters:

$query =~ tr/A-Za-z //cd;

or to be a bit less strict (letters, numbers, wildercards, etc....
as in the CGI example in the swish-e web page:

$query =~ s/[^a-zA-Z0-9\-\_\*\.\@\(\)\=\" ]/ /g;

javier wilson

----- Original Message -----
From: "Chris Humphries" <>
To: "Multiple recipients of list" <>
Sent: Tuesday, September 12, 2000 6:30 AM
Subject: [SWISH-E] re: Unsafe SWISH calls from Perl

> Is the "unsafe" call to SWISH from Perl,
> open(SWISH, "$swish -w $query -m $results $search_tags -f $index|");
> unsafe on ANY platform?
> Are there any obvious ways of checking the values passed to remove
suspicious characters?
> Are there legitimate strings that one could search for that would be
interpreted as system commands?
> Are PCs susceptible to something like the shell-escape problem that UNIX
> Chris Humphries
Received on Tue Sep 12 17:29:55 2000