Re: Re: Re: script-security / custom nagios-check

-T helps you in security in that it marks any data coming from 'the outside' as tainted untill you explicitly untaint it with a regexp.

#!/bin/perl -wT
use strict;

my $taintedVar = $ARGV[0];
if ($taintedVar =~ m/^([0-9]+)$/)
{
  my $UNtaintedVar = $1;
}
[download]

A not-so-smart programmer could use (.*) as a regexp and then the data $1 would be untainted but insecure.

Comment on Re: Re: Re: script-security / custom nagios-check Download Code

Replies are listed 'Best First'.
Re*4: script-security / custom nagios-check by Tomte (Priest) on Jan 30, 2003 at 12:06 UTC
I read the perldoc that far ;-) and decided I don't need -T, as I'm checking all input with a regexp not as general as (.). I had used -T, but really found no difference, so I left it out, as there must be some impact on runtime. So unless taint-checks do check more than I know, I think I don't need it here. Edit:* Don't get me wrong. Please convince me that I need -t or anything else I might have missed. I'm doing a lot of stuff in perl, but I'm mostly paid to do java. regards, tomte	[reply]

Replies are listed 'Best First'.

Re*4: script-security / custom nagios-check
by Tomte (Priest) on Jan 30, 2003 at 12:06 UTC

I read the perldoc that far ;-)
and decided I don't need -T, as I'm checking all input with a regexp not as general as (.*). I had used -T, but really found no difference, so I left it out, as there must be some impact on runtime.

So unless taint-checks do check more than I know, I think I don't need it here.

Edit: Don't get me wrong.
Please convince me that I need -t or anything else I might have missed.
I'm doing a lot of stuff in perl, but I'm mostly paid to do java.

regards,
tomte

[reply]