Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re: Dangerous diamonds!

by PodMaster (Abbot)
on May 18, 2003 at 13:18 UTC ( #258983=note: print w/ replies, xml ) Need Help??


in reply to Dangerous diamonds!

I'm a little suprised people are still being suprised by the magic of the open call. If you're worried, turn on taint.

C:\>perl -Tpel "echo asdf|" Insecure $ENV{PATH} while running with -T switch.

Also, what if a file has nasty shell escapes? nevermind. BTW, who runs oneliners as root? (i'd consider that a bug)


MJD says you can't just make shit up and expect the computer to know what you mean, retardo!
I run a Win32 PPM repository for perl 5.6x+5.8x. I take requests.
** The Third rule of perl club is a statement of fact: pod is sexy.


Comment on Re: Dangerous diamonds!
Download Code
Re: Re: Dangerous diamonds!
by Juerd (Abbot) on May 18, 2003 at 15:44 UTC

    I'm a little suprised people are still being suprised by the magic of the open call.

    I'm not surprised by the open call. I'm surprised that Perl uses this way to open files with magic ARGV. Three argument open would have been a lot safer.

    I'm very sure I'm not the only one who forgot that magic ARGV uses normal two-arg open internally. The number of exploitable scripts made by my customers and myself proves that most people are unaware of the security problems or chose to simply ignore them. I found 15 so far.

    If you're worried, turn on taint.

    Thanks. Even though I hate Perl's tainting mechanism, I'll use it here. It still cannot really fix the problem, since scripts will now die if they encounter an invalid file.

    BTW, who runs oneliners as root? (i'd consider that a bug)

    Everyone who needs a script to run as root runs scripts as root.

    Users can't do everything root can, and sometimes you need to be root to do what you want to do.
    Not everything can be done by a user, some things need to be done by root.

    And some of those things are made by me, and those things made by me are written in Perl.
    Perl is a powerful language that lets me do those things in simple one-liners, so I do do that with simple one-liners.

    The one-liners run as root because they need to do things that only root can do.
    The one-liners couldn't do what they need to do if they were not run as root.
    And THAT would be a bug.

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

      I'm surprised that Perl uses this way to open files with magic ARGV.
      Why? This feature existed long before open had 3 arguments, why would it suddenly change.
      It still cannot really fix the problem, since scripts will now die if they encounter an invalid file
      There is no problem to fix. Sanitize your @ARGV if you insist on magic.


      MJD says you can't just make shit up and expect the computer to know what you mean, retardo!
      I run a Win32 PPM repository for perl 5.6x+5.8x. I take requests.
      ** The Third rule of perl club is a statement of fact: pod is sexy.

        Why? This feature existed long before open had 3 arguments, why would it suddenly change.

        I didn't think it would use normal perl open internally. Given that two-arg open enables command execution and that at that time only one- and two-arg open existed, I think it should have opened files by other means.

        But we live in a world that has three-arg open now. It's time to change, imo.

        Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

        I'm surprised that Perl uses this way to open files with magic ARGV.
        Why? This feature existed long before open had 3 arguments, why would it suddenly change.
        There's more than 2 and 3 argument open. There's also sysopen, which would behave properly, and which exists since 5.002, dating back to March 1996.

        And nobody in his right mind would expect the magic <> to be actually implemented in Perl. Do you? I think, not. C provides far less dangerous library functions.

Re: Re: Dangerous diamonds!
by dws (Chancellor) on May 18, 2003 at 15:57 UTC
    BTW, who runs oneliners as root? (i'd consider that a bug)

    It's not just one-liners, and it's not just root. Any script that doesn't untaint ARGV is vulnerable. Partly, that vulnerability is incidental, given that once someone has broken into an account it is a lot easier for them to do damage directly, rather than wasting time attacking some Perl script.

    Very few Perl books talk about ARGV being a vulnerability. Or if they do, it's in passing in one part of the book, with examples in other parts ignoring the hazard.

      Any script that doesn't untaint ARGV is vulnerable.

      Which is this thread's lesson :)

      But I still think magic ARGV should not use two-arg open.

      Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://258983]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (11)
As of 2014-12-26 21:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (176 votes), past polls