I'm reading through perldoc perlsec in the hopes of getting a system() call to work with taint checking enabled. In particular, I have been staring at:

           system "echo $arg";         # Insecure
           system "/bin/echo", $arg;   # Secure (doesn't use sh)
           system "echo $hid";         # Insecure
           system "echo $data";        # Insecure until PATH set

           $path = $ENV{'PATH'};       # $path now tainted

           $ENV{'PATH'} = '/bin:/usr/bin';
           delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

           $path = $ENV{'PATH'};       # $path now NOT tainted
           system "echo $data";        # Is secure now!

[download]

my system call is:

system "/usr/sbin/useradd $cli";

[download]

I have the following in my script which I had hoped would allow for this command to be used:

## taint environmentals
$ENV{'PATH'} = "/bin:/usr/sbin";
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

## clean up user's name
$formdata{username} =~ s/ //g;
$formdata{username} =~ s/[^A-Za-z0-9]//g;
$formdata{username} =~ /^([A-Za-z0-9]{1,8}).*$/;
$formdata{username} = $1;

my $cli = "-s $shell -d $home -G $group $formdata{username}";
  $cli =~ /^(\-s \"\/bin\/false\" \-d \"\/home\/clients\/(?:stage\.)?(
+?:[\w\-]+\.)(?:\w{2,3}\.)?(?:\w{2,4})\/[A-Za-z0-9]+\" \-G \"hosting\,
+[\w\-]+\" [A-Za-z0-9]+)$/;
  $cli = $1;

  print "CLI is $cli";

  system("/usr/sbin/useradd $cli");

[download]

I stuck in that  print "CLI is $cli" to see just what I was getting out of it. Sure enough, it is as i expected it to be.
In my situation, that turns out to be:

-s "/bin/false" -d "/home/clients/stage.domain.com/testcjm" -G "hostin
+g,domain" testcjm

[download]

In the course of my testing, I've also untainted the $shell $home $group and $formdata{username} variables.

When I dont use $cli and instead just pass the $formdata{username} variable to the system call, it works. It seems like the problem is only when I pass all the command line flags as part of $cli.

this has become my white whale for the day's chasing.

thanks -c

In reply to Untainting system calls correctly by c

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.