in reply to Taint problems

Use full path names with taint, 
use lib '/home/zentara/perl5lib';
use Bar;  # in dir above

[download]
I'm not really a human, but I play one on earth Remember How Lucky You Are

Replies are listed 'Best First'.
Re^2: Taint problems
by gayathriAthreya (Novice) on Dec 02, 2008 at 18:33 UTC
    Great thanks!!! I just realized my path had problems :)
[reply]
Re^2: Taint problems
by SilasTheMonk (Chaplain) on Dec 02, 2008 at 21:42 UTC
    This obviously works but may reduce portability. If you need to run on various machines so cannot rely on the absolute paths but you can rely on the relative paths, then you can do something like: 
    #!/usr/bin/perl -wT

# amend @INC without taint
use FindBin;
my $path = $FindBin::RealBin;
$path =~ /^(.+)$/;
$path = $1;
my $relative_path = ??????????
unshift @INC, "$path/$relative_path";

    [download]
[reply]
[d/l]

      You can't trust $0. The code you provided makes code injection possible.

      • Create a symlink to the script.
      • Place the code to inject in a module in a path relative to the symlink.
      • Replace the symlink with a plain file after Perl opens the script but before FindBin has a chance to resolve the link.

      If you're writing a server where your attackers are remote, this isn't a problem. If you're writing a setuid script, this is a problem.

      Proof of concept follows.

      Read more... (2 kB)
[reply]
[d/l]
[select]

        ikegami++ for making me more paranoid than ever!

        When I first saw your post, I thought "$0 is evil, well, of course it is!". Then I thought, hrm, but where's the $0? So I ran perldoc -m FindBin and sure enough, right there in the CORE of perl was a $0 lurking beneath the covers.

        What scares me about this is the implication that I can trust no module unless I've personally vetted this exact version for issues. I suppose that's always been true but I used to count on the core to do the right thing when it comes secure programming. Now which modules does my latest catalyst project rely on? Do any of them use FindBin? Sigh.

        I'm not seriously going to vet CPAN but you've made me realize the trust issues in using any module. I suppose there's more value to "reinventing the wheel" than most people think.

[reply]
[d/l]

        ikegami, Thanks. The example is instructive and I bow to a master of the dark arts.

        I draw the following morals:

        1. If at all possible use the hardcoded paths for this sort of bootstrapping exercise.
        2. If that is not possible, then my example could be saved by validating the $path variable more strictly. There should be a finite set of possible values for $path and if it is something else then die.

        I think this illustrates the point of taint checking. Trust no input from outside but validate it against what you know to be valid values.

        rowdog, I don't think FindBin is at fault here. It cannot possibly know what are valid values for $0. I am curious as to what modules, you have suddenly begun to distrust.

[reply]

In Section Seekers of Perl Wisdom