On Wed, 16 Feb 2000, Bill McKinnon wrote:
> > Not really. Consider the following snippet:
> >
> > open PASSWD, '< /etc/passwd';
> > $var = '&PASSWD'; # also try $var = '&3';
> > open IN, "< $var";
> > print while (<IN>);
> >
> > Perl's open will dup other file descriptors if < is followed by &. This
> > isn't as potentially problematic as forking commands, but there may be
> > circumstances where someone could dup a filehandle and cause your script
> > to behave strangely/output sensitive information/etc.
> Interesting. And for the curious, this doesn't seem to be noticed by
> Perl's tainting mechanism, unless I'm misunderstanding something:
>
> $ perl -T - '&PW'
> open(PW, "/etc/passwd") or die "open(): $!\n";
>
> $var = shift;
>
> open(FH, "< $var") or die "open(): $!\n";
>
> print <FH>;
>
> (hit CTRL D here)
> root:x:0:0:root:/root:/bin/bash
> bin:x:1:1:bin:/bin:
> daemon:x:2:2:daemon:/sbin:
> ...
> etc
Perl's tainting mechanism only comes into play if you are invoking a
external command in some way: via system, exec, backticks, or opening a
filehandle to or from a pipe. For example,
#!/usr/bin/perl -w -T
open(PW, "<$ARGV[0]") or die $!;
print <PW>;
__END__
will run without complaint, as long as the filename you pass it in
$ARGV[0] is readable.
However,
#!/usr/bin/perl -w -T
$ENV{PATH}=''; # we need a safe path
$ENV{BASH_ENV}=''; # and a safe bash env
open(PW, "/bin/cat $ARGV[0] |") or die $!;
print <PW>;
__END__
which does the same thing, will die with a "Insecure dependency in piped
open while running with -T switch" error.
--
Brock Sides
Unix Systems Administration
Towery Publishing
bsidesat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:34 PDT