|
Posted by Daniel Parry on April 26, 2008, 7:49 am
Please log in for more thread options
Hello all,
I was wondering if anyone could give me some pointers as to the
best way to untaint the assocative array %config in the following
snippet please? Do I need to check its content against a suitable
regexp somehow? Or maybe I should use another method to read in
the file contents, though I'd prefer to not to have to include
any cpan libraries...
no strict;
if ( open( CONFIG, "$configFile" ) ) {
my $readConfig = "";
while ( <CONFIG> ) { $readConfig .= $_; }
eval $readConfig;
%config = %{ $userconfig };
close( CONFIG );
}
else {
die "Could not read config file: $configFile!";
}
use strict;
Thanks in advance for any help!
Best wishes,
Daniel
|
|
Posted by Ben Bullock on April 26, 2008, 9:28 am
Please log in for more thread options
On Sat, 26 Apr 2008 11:49:21 +0000, Daniel Parry wrote:
> Hello all,
>
> I was wondering if anyone could give me some pointers as to the best way
> to untaint the assocative array %config in the following snippet please?
> Do I need to check its content against a suitable regexp somehow? Or
> maybe I should use another method to read in the file contents, though
> I'd prefer to not to have to include any cpan libraries...
The documentation is in perldoc perlsec:
"Values may be untainted by using them as keys in a hash; otherwise the
only way to bypass the tainting mechanism is by referencing subpatterns
from a regular expression match."
> no strict;
> if ( open( CONFIG, "$configFile" ) ) {
> my $readConfig = "";
> while ( <CONFIG> ) { $readConfig .= $_; } eval $readConfig;
Assuming you actually care about the security of your script, the
untainting should be done before you "eval" the thing you've read in.
Otherwise, the above is probably the single most insecure thing you can
do in a Perl script.
As described above, to blanket untaint $readConfig, just match it against
any regular expression and use any substring match. Here is an example
program:
#!/usr/bin/perl -T
use warnings;
use strict;
use Scalar::Util 'tainted';
my $try;
sub print_tainted
{
$try++;
my ($what) = @_;
print "$try: ";
print "not " unless (tainted($what));
print "tainted\n" ;
}
my $job = <STDIN>;
print_tainted($job);
$job =~ /^(.*)$/s;
$job = $1;
print_tainted($job);
|
|
Posted by Gunnar Hjalmarsson on April 26, 2008, 10:17 am
Please log in for more thread options Ben Bullock wrote:
> On Sat, 26 Apr 2008 11:49:21 +0000, Daniel Parry wrote:
>> I was wondering if anyone could give me some pointers as to the best way
>> to untaint the assocative array %config in the following snippet please?
<snip>
>> if ( open( CONFIG, "$configFile" ) ) {
>> my $readConfig = "";
>> while ( <CONFIG> ) { $readConfig .= $_; } eval $readConfig;
>
> Assuming you actually care about the security of your script, the
> untainting should be done before you "eval" the thing you've read in.
> Otherwise, the above is probably the single most insecure thing you can
> do in a Perl script.
Maybe so, but...
> my $job = <STDIN>;
> print_tainted($job);
> $job =~ /^(.*)$/s;
> $job = $1;
you don't seriously mean that that code would make $job much less
insecure, do you? The regex accepts anything. You'd better choose a
regex that limits the allowed characters as far as possible.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
|
|
Posted by Ben Bullock on April 26, 2008, 6:11 pm
Please log in for more thread options On Sat, 26 Apr 2008 16:17:52 +0200, Gunnar Hjalmarsson wrote:
> Ben Bullock wrote:
>> my $job = <STDIN>;
>> print_tainted($job);
>> $job =~ /^(.*)$/s;
>> $job = $1;
>
> you don't seriously mean that that code would make $job much less
> insecure, do you?
No, I didn't say that. This just removes the taint flag without doing
anything to the string, so there is no absolutely change in security.
It's just a "dodge". Hopefully the original poster understood that, but
thank you for clarifying it.
|
|
Posted by xhoster on April 26, 2008, 8:45 pm
Please log in for more thread options >
> > no strict;
> > if ( open( CONFIG, "$configFile" ) ) {
> > my $readConfig = "";
> > while ( <CONFIG> ) { $readConfig .= $_; } eval $readConfig;
>
> Assuming you actually care about the security of your script, the
> untainting should be done before you "eval" the thing you've read in.
> Otherwise, the above is probably the single most insecure thing you can
> do in a Perl script.
Hardly. It reads and executes some file, presumably from some disk. (He
doesn't show us how that file name was obtained, which is a bit
disconcerting, but anyway...) But what is his initial program itself?
Some file from some disk, most likely. If the evil-doer can put something
malicious in one file on the disk, why can't they put something malicious
into the main file and be done with it? Sure, one could arrange it such
that one of the files is secure and the other isn't, but then again one
could arrange it so that neither file is secure.
Xho
--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.
|
| Similar Threads | Posted | | great and better hash eval | August 25, 2007, 7:26 pm |
| Untaint file name | August 15, 2004, 11:42 am |
| Different behavior between eval "07" and eval "08" | February 1, 2008, 9:59 pm |
| help with eval | September 29, 2004, 12:24 am |
| if {} vs eval {} if | October 12, 2004, 9:35 am |
| eval or something else | September 21, 2006, 6:35 am |
| RHS of s/LHS/RHS/ with $1, $2, etc. without "eval"? | June 4, 2008, 9:49 pm |
| double eval? | July 18, 2004, 4:28 pm |
| no re 'eval' not secure enough | August 20, 2004, 12:08 pm |
| eval function | October 20, 2004, 2:09 pm |
|
XML Sitemap