in reply to Perl 5.8.0 PerlIO insecure dependency

Here is the code in question from PerlIO.... 

sub import
{
 my $class = shift;
 while (@_)
  {
   my $layer = shift;
   if (exists $alias{$layer})
    {
     $layer = $alias{$layer}
    }
   else
    {
     $layer = "${class}::$layer";
    }
   eval "require $layer";   # line 22
   warn $@ if $@;

[download]

It would seem reasonable to add: 

$layer = $1 if $layer =~ m/^([\w:]+)$/;

[download]

Just before the eval to untaint it safely. That should allow everything through that needs to come through. It is a resonable patch I would have thought. It may however just allow stuff to break elsewhere.

Does your script really need to be suid in the first place?

cheers

tachyon

Replies are listed 'Best First'.
no PerlIO $ENV{TAINTED};
by PodMaster (Abbot) on Apr 13, 2004 at 02:12 UTC
    I don't think so. That would allow stuff like 
    E:\>set TAINTED=crlf

E:\>perl -T -e"use PerlIO $ENV{TAINTED};"
Insecure dependency in eval while running with -T switch at G:/Perl/li
+b/PerlIO.pm line 22.
BEGIN failed--compilation aborted at -e line 1.

    [download]
    to slip through, when it clearly shouldn't.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]

      Actually there is nothing wrong with the behaviour you would get with the patch and your test case (removing the -T to simulate the effect of the patch as crlf will match ^[\w:]+$ 

      [root@devel3 root]# TAINTED=crlf;export TAINTED
[root@devel3 root]# perl5.8.3 -e 'print $ENV{TAINTED},$/;'
crlf
[root@devel3 root]# perl5.8.3 -e 'use PerlIO $ENV{TAINTED};'
Can't locate PerlIO/crlf.pm in @INC (@INC contains: /usr/local/lib/per
+l5/5.8.3/i686-linux-thread-multi /usr/local/lib/perl5/5.8.3 /usr/loca
+l/lib/perl5/site_perl/5.8.3/i686-linux-thread-multi /usr/local/lib/pe
+rl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at (eval 1) lin
+e 3.
[root@devel3 root]#

      [download]

      All that patching it to untaint \w: chars does is allow you to call an artitrary PerlIO::Widget::Whotnot. That module still has to exist or it will just explode.

      You could make a good argument for a patch like: 

      corak "No way hosay...." unless $layer =~ m/^([\w:]+)$/;
$layer = $1;
eval "....

      [download]

      cheers

      tachyon

[reply]
[d/l]
[select]
        That's kind of not the point, I think the value should remain tainted and the user should be made to untaint. A patch of $layer =~ s/[^\w:]//g; would take care of that.

        And btw, that regex is not bulletproof. "foo and exit" and a whole bunch of other nasties could slip by.

        MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
        I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
        ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
Re: Re: Perl 5.8.0 PerlIO insecure dependency
by bplatz (Initiate) on Apr 13, 2004 at 01:29 UTC
    Yes, the code in which this excerpt appears does need to be run setuid, until it reads a configuration file, after which it revers back to uid == euid. By the time it reaches the code in question, uid == euid, but the error appears at BEGIN time, not runtime. I am aware of how to untaint variables, but was curious if anyone else has seen this or reported it to perl.org. Tonight I submitted a bug report to perl.org. Let's see what kind of reply I get from them. Thanks again!
[reply]

In Section Seekers of Perl Wisdom