In the "real world", no one uses FindBin just for curiosity, they use it to find related files. If I can fool FindBin, I can probably feed bogus data into the script by making it read my files instead of the owner's.
Please show me how you can fool $0 so that it finds the wrong files. You mentioned copying the script, but that doesn't fool the script into looking in the wrong spot. Installing the program in a different directory is not "fooling $0".
Remember, if the user can copy the script, then he can modify the script. And if he can modify the script, it doesn't matter if you can trust $0 or not. You don't worry about allergies when someone's pointing a gun at you.
hacked perl executable doing "exec" without exec(3)
Same thing goes for perl, the OS and the hardware. If the attacker can overtake these, it doesn't matter if $0 can be trusted or not. The attacker can already do everything he wants.
but there are multiple attack vectors which might work
Again, like what? So far, you've only mentioned the one I came up with (gaming the file system).
On reflection, my opinion is that tainting is insufficient and relying on $0 (and thus FindBin) for anything is likely to be insecure.
How can tainting $0 be insufficient (which means it IS insecure) if you're content with considering $0 as LIKELY to be insecure?
In reply to Re^10: Taint problems
by ikegami
in thread Taint problems
by gayathriAthreya
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |