Hi Monks,

Assuming that some ENV variables are already set in the shell, I would like to use them in my CGI with the taint mode.

I get a directory path from an ENV variable (in the example, I set the env var and then grab it), add the userid, do a change directory and finally execute a system command.

I got "Insecure dependency..", "Insecure $ENV{PATH}","Insecure $ENV{ENV}" errors initially. I modifed the script after reading the perlsec documentation and several other related posts in perlmonks.org.

Below is the modified code, which works fine, but I am not sure if this is the way to go.

Your comments/suggestions would be great.

Update:

Zaxo: Thanks for the comments on the original post

I went one step further....

Instead of hardcoding the commands to execute, I read from a file, did a taint check and passed it to the 'system' command but it fails with "Insecure dependency in system while running with -T switch at ... line 63"... It is failing at system ( $runcmd );

Any suggestions? Below is the updated code... 

#! /path/to/perl -wT
use strict;

# not used
#delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

my $workdir;
my ($t_runcmd, $runcmd);

# Set Work Directory env variable                  
my $username = "thisuser";
$ENV{WORKDIRECTORY} = "/path/to/dir/$username";

# Assign env var value to tainted variable name
my $t_workdir=$ENV{WORKDIRECTORY};

# Check if the variable is tainted
if ( is_tainted($t_workdir) ){
   $workdir = $t_workdir;
}

# Set default allowed paths
my @allowed_paths = ( "/bin", 
                      "/usr/bin" );

# Push new workdir to allowed paths
push @allowed_paths, "$workdir/bin";

# Add allowed paths to PATH
$ENV{PATH} = join( ':', @allowed_paths );
print "$ENV{PATH}\n";

chdir $workdir or die "Cannot change to $workdir: $!\n";

# Open the file commands in the workdir
open ( F, "$workdir/commands");
$t_runcmd = <F>;

if ( is_cmd_tainted($t_runcmd) ){
   $runcmd = $t_runcmd;
}
# Assign command -- Disabled
# my $runcmd = "ls -l > test.text";
print "$runcmd\n";

# Exec command
system ( $runcmd );

# I got this sub from perlsec but I have no clue as 
# to how this untaints the data. Hence, used one to suit my 
# requirement 
#sub is_tainted{ 
#  return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1};
#}

sub is_tainted{

  my $var_to_chk = shift; 
  print "---$var_to_chk---\n";
  
  if ( $var_to_chk =~ /^([\w\/]+)$/ ) {
    return 1;
  }
  else{
    die "Bad path!!!\n";
  }
}

sub is_cmd_tainted{

  my $cmd_var = shift;
  print "---$cmd_var---\n"; 
  # presently, the regex checks only if the command 
  # starts with 'ls'
  if ( $cmd_var =~ /^(ls)+/ ) {
    return 1;
  }
  else{
    die "Bad commands!!!\n";
  }
}

[download]

In reply to Reading ENV variable and using that in taint mode by sara2005

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.