Re: Re: Error using -T...

Where did the values in your hash %in come from? I they came into the program from an external source (as is implied by the name:) then they will be tainted and you will need to un-taint them before your can use them as part of the filename you supply to require.

The theory goes that as require is nothing but a sophisticated eval, then the 'bad guy' can place his evil requirements in a file /home/some/backend/pagez/wicked.conf, supply the name 'wicked' to your program and and you will run whatever bad stuff he puts in there.

Examine what is said, not who speaks.

"Efficiency is intelligent laziness." -David Dunham
"When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller

Comment on Re: Re: Error using -T... Select or Download Code

Replies are listed 'Best First'.
Re: Error using -T... by powerhouse (Friar) on May 31, 2003 at 20:54 UTC
%in is from CGI.pm `ReadParse(\%in);` [download] using cgi-lib How could they put wicked.conf in there, without knowing my password to the server? I have logged in under different accounts and tried to create files into it, and modify them using Shell, but I can only view them, if I change them, when I go to save them, I get a permission denied. I don't have world write to it either. So I guess I just don't understand how they could write to that location. If they have my username and password to the server, then they can change anything anyways. I am interested in hearing more if you know more :o) Thanks, Richard	[reply] [d/l]
Re: Re: Error using -T... by BrowserUk (Patriarch) on May 31, 2003 at 21:20 UTC
It's not a case of your password or your system or any password or system in particular. Remember, perl is a general purpose tool, used by many people in many situations, and the tainting mechanism is designed to help protect everyone who uses it. It works like this. If data (string, numbers, filenames, whatever) comes into your program from an external source, then, when you use -T, you are asking perl to warn you when you try to use that data in a way that could be dangerous in some situations, until you untaint it. Untainting, means using a regex to inspect and modify the contents of that data. At this point, perl says "Okay. You got data from an external source, you've 'edited it', I cannot predict what type of editing is required to make that data safe, so I must assume that you--the programmer--know what you are doing, so now I will let you use that edited data in whatever way you want!". In other words. You asked perl to tell you when you attempted to do something dangerous with external input. It did. Now it is up to you to take those steps to untaint the data in whatever way you believe will make it safe. The risk is yours to access and the steps are yours to take. Examine what is said, not who speaks. "Efficiency is intelligent laziness." -David Dunham "When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller	[reply]
Re: Re: Error using -T... by Limbic~Region (Chancellor) on May 31, 2003 at 21:02 UTC
powerhouse, You are missing the whole point of Taint checking. If you are positive that it is safe - why turn on -T in the first place? The point is to ensure that no gremlins get in. It is a trivial matter (most of the time) just to Untaint the data. Perl doesn't care about the fact that a password is (or isn't) required - it just cares that you are trying to require a file that comes from a variable that comes from an external source. Cheers - L~R	[reply]