| Subject: | BBPerl does not escape meta-characters |
BBPerl does not escape meta-characters before sending to the shell. If a test is designed to report any form of untrusted input to a Big Brother server (eg from a log file), this could create an indirect security vulnerability.
Here is the adjustment that we're using at my workplace:
- ${bbmsgs} =~ s/"/\\"/g;
+ $bbmsgs =~ s/"/\\"/g;
+ $bbmsgs =~ s/\$/\\\$/g;
+ $bbmsgs =~ s/\`/_/g;
+ $bbmsgs =~ s/\(/_/g;