Re^5: Runtime Taint Enable

Okay...I'll bite. Consider the following program:

use warnings;
use strict;

foreach my $file (<*>) {
   if ($file =~ m/(.*)/) { #we trust everything from *our* box
      $file = $1;
      my $rc = system("rm", $file);
   }
}
[download]

Now consider this file listing:

-rw-rw-r--   1 thulben  thulben         1 Feb 24 11:03 -rf
-rwxr-xr-x   1 thulben  thulben       254 Feb 24 10:59 unsafe.pl*
[download]

Whoops!

thor

Feel the white light, the light within Be your own disciple, fan the sparks of will For all of us waiting, your kingdom will come

Comment on Re^5: Runtime Taint Enable Select or Download Code

Replies are listed 'Best First'.
Re^6: Runtime Taint Enable by Rhandom (Curate) on Feb 24, 2005 at 18:37 UTC
So the question is - how did those files get on the system. Most likely they are user files created in some user usable process/cgi - so the filenames themselves would be considered user data and hopefully taint mode would be enabled before dealing with user data. If it isn't user data from a user usable process - then it might be a good idea at this point to check for rootkits. Either way - things might be legitimate on this box - these may be perfectly legal files. The process just needs to be sure to enable taint mode before doing such horridly taint unsafe operations. It seems the higher the risk, or the more unknown the modules are that are being used, the closer to the beginning of the script that taint mode should be enabled. In a setuid situation it should probably be so close the beginning of the script that you use the -T. Oh - I see you untainted - so tainting doesn't matter. Well there are a few things going in your favor. First - for this operation to work you had to be chrooted into the directory or else rm $file isn't going to work. That, or the filename returned by the <*> is going to contain the full filename /path/to/file/-rf which will most likely just give an error. So this case probably wasn't a tragedy. There are worse filenames though that certainly would cause trouble like "foo; rm -rf /" (The entire quoted string is the filename). This then becomes an issue not of taint/untaint but vs sane programming practices - such as using unlink and rmdir and File::Path::rmtree and avoiding system and exec were possible. And certainly not blindly untainting things "we" trust. As a foot note - I've managed to create files like that before (on accident) and getting rid of them is a pain (without perl). But, in a production environment, people with the ability to put such files in places that will get read and actually do put such files in those places - those people ought to have access revoked. The hand creating of such a file indicates that much worse things almost happened at the file creation. Again - thanks for your cautionary reponse. I agree. ++ my @a=qw(random brilliant braindead); print $a[rand(@a)];	[reply]

Replies are listed 'Best First'.

Re^6: Runtime Taint Enable
by Rhandom (Curate) on Feb 24, 2005 at 18:37 UTC

my @a=qw(random brilliant braindead); print $a[rand(@a)];

[reply]