mkanat has asked for the wisdom of the Perl Monks concerning the following question:

Fundamentally, my question is "Why is the output of abs_path tainted?" That is, what are the security risks of trusting the output of abs_path, provided that the input data (the relative path) is untainted?

I'm asking because I call abs_path from the inside of a module (VCI) that I maintain on CPAN. I allow callers to specify a relative path to their repositories, and convert that to an absolute path before passing it to Git, CVS, or Subversion (none of which natively support relative paths).

I'm working on making VCI taint-safe.

Provided that the code I'm using to interact with these VCSes is otherwise safe, what risks would I be exposing my users to if I blindly detainted the output of abs_path inside of VCI?

"Don't allow relative paths" isn't an option, because the test suite needs to use them. Also, it would be a definite inconvenience in general.

-Max

  • Comment on Security risks of Cwd::abs_path (Why is abs_path tainted?)

Replies are listed 'Best First'.
Re: Security risks of Cwd::abs_path (Why is abs_path tainted?)
by Fletch (Bishop) on Dec 20, 2007 at 02:50 UTC

    It's tainted because it's input from outside your script that's under the (dirty malicious) user's control which means that you can't presume anything about it. 

    $ mkdir /tmp/spoo
$ cd /tmp/spoo
$ mkdir "zomg ; rm -rf *"
$ ln -s "zomg ; rm -rf */" spoo
$ cd spoo
$ perl -MCwd -le 'print Cwd::abs_path'
/private/tmp/spoo/zomg ; rm -rf *

    [download]

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

[reply]
[d/l]
      Thank you, that's exactly what I was looking for. :-) -Max
[reply]

Back to Seekers of Perl Wisdom