Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re^3: Taint and Shellshock

by LanX (Saint)
on Sep 28, 2014 at 10:00 UTC ( [id://1102265]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Taint and Shellshock
in thread Taint and Shellshock

While in theory you can whitelist keys which need to be passed thru from parents env to bash, you'll hardly be able to avoid dangerous values without some heuristics...

Like forbidding anything which looks like an env-function.

That's what my regex does in a generic way, ie erasing magic values starting with () { .

You are free to combine it with further defense measures.°

But I doubt you can efficiently realize an individual validation for each string format (like PATH, HOST, IP, USERNAME, ...)

Cheers Rolf

(addicted to the Perl Programming Language and ☆☆☆☆ :)

°) something like (untested)

 local %ENV = map { $_ => kill_func $ENV{$_} } @whitelist

Replies are listed 'Best First'.
Re^4: Taint and Shellshock
by kennethk (Abbot) on Sep 29, 2014 at 18:02 UTC
    ww posted an article that comes to similar conclusions to yours. I'm definitely more inclined toward a whitelist than a blacklist, but I'd much prefer a hard-coded environment for my child process. The original intent of my query was really intended to find out why a scorched earth approach might be problematic. In the kind of code I end up running in these types of situations, there's no reason to not take the draconian approach (PDF generation, numerics, ...). I also try to avoid single-argument system and exec, but that's mostly because I don't trust my escaping talents.

    In any case, I'll be using your regex for any values I have to pass through, and I appreciate your thoughts on the matter.


    #11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

      > ww posted an article that comes to similar conclusions to yours.

      CAUTION! DON'T

      While the explanation in the article is good, the regex is not.

      While I disable ALL function definitions to avoid any eval, this one tries to disable only those containing injected code after the functions body.

      In other words it tries to parse the function, but similar to "only Perl can parse Perl" this is doomed to fail.

      I've already seen shellshock exploits where the injected code was somewhere within the body. ¹

      If you wanna play save disable all unknown function definitions like I did and allow only some where you have full control!

      Cheers Rolf

      (addicted to the Perl Programming Language and ☆☆☆☆ :)

      ¹) parsing complexity is the reason why there are so many patching attempts to fix this

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1102265]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2024-03-28 20:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found