Re: The importance of avoiding the shell

This also points to one of Perl 5's great features, taint mode and the -T flag.

The core of the bash problem is that it takes outside data and treats it as code. Perl's -T flag prevents your program from making the same mistake without explicitly untainting the data.

From perlsec:

(With -T enabled), you may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see perllocale), results of certain system calls ("readdir()", "readlink()", the variable of "shmread()", the messages returned by "msgrcv()", the password, gcos and shell fields returned by the "getpwxxx()" calls), and all file input are marked as "tainted". Tainted data may not be used directly or indirectly in any command that invokes a sub-shell, nor in any command that modifies files, directories, or processes, with the follow- ing exceptions: ...

It pains me that so far there are no plans (so far as I know) to carry over taint mode into Perl 6.

xoxo,
Andy

Comment on Re: The importance of avoiding the shell

Replies are listed 'Best First'.
Re^2: The importance of avoiding the shell by Anonymous Monk on Sep 26, 2014 at 15:14 UTC
To be clear in my head, you're saying that if I run CGI scripts in taint mode that I don't need to worry about this bash bug from CGI?	[reply]
Re^3: The importance of avoiding the shell by ikegami (Patriarch) on Sep 29, 2014 at 06:54 UTC
I'm pretty sure that is what he's saying, but he's wrong if that's the case. `$ HTTP_ACCEPT='() { :;}; echo 0wn3d' \ perl -T -e'$ENV{PATH}=""; system(q(/bin/ls -- "$HOME"))' 0wn3d ... contents of home dir ...` [download] While `$ENV{HTTP_ACCEPT}` is tainted, `system` doesn't check if it's tainted.	[reply] [d/l] [select]
Re^3: The importance of avoiding the shell by Anonymous Monk on Sep 26, 2014 at 15:25 UTC
Taint mode, like most security measures, is "just" an additional security measure. Whether or not you "need to worry" depends a whole lot on the individual situation. Generally, turning on taint mode in CGI scripts is a good idea, but it is not a silver bullet.	[reply]
Re^3: The importance of avoiding the shell by petdance (Parson) on Oct 01, 2014 at 19:50 UTC
No, I am not making any claims about taint mode mitigating the bash bug. My point is that the bash bug is, at its core, about treating untrusted data as executable code. Perl's taint mode is designed to catch that problem in Perl code. Say you get an argument from the command line in your Perl program. That variable is now tainted, because it came from an untrusted source. Now, say you try to execute a command with `system` using that variable. Perl's taint mode will disallow it because the data fed to `system` is untrustworthy. xoxo, Andy	[reply]