Assignment 4, due Feb 16

Part of the homework for 22C:169, Spring 2007
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

  1. Background: Consider this shell script, stored in the file fibonacci and marked as an executable file:
    #/bin/tcsh
    # fib arg
    # outputs the arg'th fibonacci number
    
    if      ($argv <= 1) then
            echo $argv
    else
            @ m1 = $argv - 1
            @ m2 = $argv - 2
            @ return = `fib $m1` + `fib $m2`
            echo $return
    endif
    

    a) What output does this produce for the inputs fib 0 through fib 8 (1/2 point)

    b) Give equivalent C, C++, C# or Java code, writing it as a function that takes an integer argument and returns an integer result. Hint: In all of these languages, the code is smaller than the original shell script! (1/2 point)

    c) Explain the potential for injection vulnerability in this code; what stupid thing did the programmer do? (1 point)

    d) Give a command line for a call to the above fib script that will, as a side effect, run the cat fib command to list the file to standard output. (1 point)

    e) Propose code to add to the fib routine that prevents its use with the incorrect number of parameters. This is one way to eliminate the injection vulnerability in this code. (1 point)

    f) In fact, this code does include an injection vulnerability. Can you find a call to this code that will inject the command ls -l fib? (From there, it is not a long shot to rm -f fib.) (1 point)