On Wed, 16 Feb 2000, Bill McKinnon wrote: > > Not really. Consider the following snippet: > > > > open PASSWD, '< /etc/passwd'; > > $var = '&PASSWD'; # also try $var = '&3'; > > open IN, "< $var"; > > print while (<IN>); > > > > Perl's open will dup other file descriptors if < is followed by &. This > > isn't as potentially problematic as forking commands, but there may be > > circumstances where someone could dup a filehandle and cause your script > > to behave strangely/output sensitive information/etc. > Interesting. And for the curious, this doesn't seem to be noticed by > Perl's tainting mechanism, unless I'm misunderstanding something: > > $ perl -T - '&PW' > open(PW, "/etc/passwd") or die "open(): $!\n"; > > $var = shift; > > open(FH, "< $var") or die "open(): $!\n"; > > print <FH>; > > (hit CTRL D here) > root:x:0:0:root:/root:/bin/bash > bin:x:1:1:bin:/bin: > daemon:x:2:2:daemon:/sbin: > ... > etc Perl's tainting mechanism only comes into play if you are invoking a external command in some way: via system, exec, backticks, or opening a filehandle to or from a pipe. For example, #!/usr/bin/perl -w -T open(PW, "<$ARGV[0]") or die $!; print <PW>; __END__ will run without complaint, as long as the filename you pass it in $ARGV[0] is readable. However, #!/usr/bin/perl -w -T $ENV{PATH}=''; # we need a safe path $ENV{BASH_ENV}=''; # and a safe bash env open(PW, "/bin/cat $ARGV[0] |") or die $!; print <PW>; __END__ which does the same thing, will die with a "Insecure dependency in piped open while running with -T switch" error. -- Brock Sides Unix Systems Administration Towery Publishing bsidesat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:34 PDT