problem saving string to cgi::session with Taint

leocharre has asked for the wisdom of the Perl Monks concerning the following question:

This is my upload accept script that is part of a larger app.

I am having problems with the session, and Taint. The script saves the file all good.. it just.. something is off on saving the session , which will record the file uploaded, just a string in a hash.

The error I get is ;

Insecure dependency in sysopen while running with -T switch at /usr/li
+b/perl5/site_perl/5.8.3/CGI/Session/Driver/file.pm line 63., referer:
+ https://devel.internal/file.cgi?session=5b64b9342c0d1412333a3864fc28
+d223
[download]

The script is..

use CGI;
use CGI::Session;
use Data::Dumper;

use DMS::Files::Upload;

# init dms without normal checkihng,.. this is a problem with cgi vali
+date and an upload, hack
my $DMS = load_nouser(conf=>'/srv/www/htdocs-devel/dms/conf/dms.conf')
+;

#init cgi
my $cgi = new CGI;
for ($cgi->param()){    /^session$|^user_file$/ or die("bad field"); }
+ # some minor checking .. make sure no extraneous data send

$$DMS{S}{session} = $cgi->param('session'); $$DMS{S}{session}=~m/^\w{3
+2}$/ or die("no sid [$$DMS{S}{session}] or not 32 word chars");

# maybe the problem is in not untainting the session id or the session
+ directory?
$$DMS{s} = new CGI::Session("driver:File",$$DMS{S}{session},{ Director
+y=> $$DMS{CONF}{SESSIONS_DIR} });
$ENV{REMOTE_ADDR} or die ('no ip');
$ENV{REMOTE_ADDR} eq $$DMS{s}->param('_SESSION_REMOTE_ADDR') or die("b
+ad ip");


$$DMS{u}{userdir} = $$DMS{CONF}{DOC_USERS}.'/'.$$DMS{s}->param('user')
+;
print STDERR "userdir $$DMS{u}{userdir}";
$$DMS{u}{logfile} = $$DMS{u}{userdir}.'/'.$$DMS{s}->param('user').'.lo
+g';
$$DMS{Q} = $$DMS{s}->param('Q');

# get some form stuff
$$DMS{upload}{filename} = $cgi->param('user_file'); 
my $data = $cgi->upload('user_file');    

#untaint some stuff
if ($$DMS{u}{userdir}=~m/^([\/_\@\w .-]+)$/){ $$DMS{u}{userdir}=$1;} e
+lse {die("cant untaint userdir $$DMS{u}{userdir}\n");}
if ($$DMS{upload}{filename}=~m/^([\/_,\@\w .-]+)$/){ $$DMS{upload}{fil
+ename}=$1;} else {die("cant untaint name $$DMS{upload}{filename}\n");
+}

# should filename change because file alreaduy exists?

$$DMS{upload}{filename} = savename($$DMS{u}{userdir},$$DMS{upload}{fil
+ename}); #change name if file already exists.    
$$DMS{upload}{destination} = "$$DMS{u}{userdir}/$$DMS{upload}{filename
+}";

userlog($DMS,'about to save upload');

DMS::Files::Upload::saveupload($DMS,$data) or die("cant save upload");

$$DMS{upload}{docfilepath}=$$DMS{upload}{destination}; $$DMS{upload}{d
+ocfilepath}=~s/^$$DMS{CONF}{DOC}\/// or die ($$DMS{upload}{docfilepat
+h}." not in DMS_CONF_DOC=$$DMS{CONF}{DOC}"); 
$$DMS{upload}{docfilepath}=~s/\/\//\//g;
# place in Q
$$DMS{Q}{$$DMS{upload}{docfilepath}}=1;
$$DMS{s}->param('Q',$$DMS{Q});
$$DMS{s}->flush;
#print "Content-type: text/html\n\n";
print "Location: $$DMS{CONF}{WWW}/file.cgi?session=$$DMS{S}{session}\n
+\n";
#print Dumper($DMS);    

exit;
[download]

Should I be untainting $$DMS{S}{session}, or $$DMS{CONF}{SESSIONS_DIR} ? is that the problem? I can access the session data just fine. Maybe I need to untaint the string I am recording to the session?

Any feedback appreciated. Thank you.

Comment on problem saving string to cgi::session with Taint Select or Download Code

Replies are listed 'Best First'.
Re: problem saving string to cgi::session with Taint by leocharre (Priest) on May 04, 2006 at 16:24 UTC
update: I was being a retard.. The session id and the session directory on server needed to be untainted, not for reading, but for writing. duh. so.. I added this: #......y $DMS = load_nouser(conf=>'/srv/www/htdocs-devel/dms/conf/dms. +conf'); #init cgi my $cgi = new CGI; for ($cgi->param()){ /^session$\|^user_file$/ or die("bad field"); } + # some minor checking .. make sure no extraneous data send $$DMS{S}{session} = $cgi->param('session'); $$DMS{S}{session}=~m/^\w{3 +2}$/ or die("no sid [$$DMS{S}{session}] or not 32 word chars"); ################################################################# # I WAS BEING A RETARD: these needed to be untainted... :) if ($$DMS{S}{session}=~m/(^\w+$)/){ $$DMS{S}{session}=$1; } else {die $!;} if ($$DMS{CONF}{SESSIONS_DIR}=~m/^([\/\w -]+)$/){ $$DMS{CONF}{SESSIONS_DIR}=$1; } else {die $!;} ############################################################## # you dont need to untaint to read, but to write, yes, to the session +file $$DMS{s} = new CGI::Session("driver:File",$$DMS{S}{session},{ Director +y=> $$DMS{CONF}{SESSIONS_DIR} }); $ENV{REMOTE_ADDR} or die ('no ip'); $ENV{REMOTE_ADDR} eq $$DMS{s}->param('_SESSION_REMOTE_ADDR') or die("b +ad ip"); # ...... [download] Now it's happy :).	[reply] [d/l]

Replies are listed 'Best First'.

Re: problem saving string to cgi::session with Taint
by leocharre (Priest) on May 04, 2006 at 16:24 UTC

update: I was being a retard.. The session id and the session directory on server needed to be untainted, not for reading, but for writing. duh. so.. I added this:

#......y $DMS = load_nouser(conf=>'/srv/www/htdocs-devel/dms/conf/dms.
+conf');

#init cgi
my $cgi = new CGI;
for ($cgi->param()){    /^session$|^user_file$/ or die("bad field"); }
+ # some minor checking .. make sure no extraneous data send

$$DMS{S}{session} = $cgi->param('session'); $$DMS{S}{session}=~m/^\w{3
+2}$/ or die("no sid [$$DMS{S}{session}] or not 32 word chars");

#################################################################
# I WAS BEING A RETARD: these needed to be untainted... :)
if ($$DMS{S}{session}=~m/(^\w+$)/){
    $$DMS{S}{session}=$1;
} else {die $!;}

if ($$DMS{CONF}{SESSIONS_DIR}=~m/^([\/\w -]+)$/){
    $$DMS{CONF}{SESSIONS_DIR}=$1;
} else {die $!;}
##############################################################

# you dont need to untaint to read, but to write, yes, to the session 
+file
$$DMS{s} = new CGI::Session("driver:File",$$DMS{S}{session},{ Director
+y=> $$DMS{CONF}{SESSIONS_DIR} });
$ENV{REMOTE_ADDR} or die ('no ip');
$ENV{REMOTE_ADDR} eq $$DMS{s}->param('_SESSION_REMOTE_ADDR') or die("b
+ad ip");
# ......
[download]

Now it's happy :).

[reply]
[d/l]