Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Re: Trojan Horse? (taint mode)

by dws (Chancellor)
on Nov 25, 2001 at 10:53 UTC ( #127371=note: print w/replies, xml ) Need Help??

in reply to Trojan Horse? (taint mode)

I'm under the impression that tainted data is mainly a concern if you're going to eval it, or pass it to system or backticks, are there any really sneaky situations that I'm missing?

  open(IN, $file);

can really spoil your day if $file contains   "| rm -f *"

Replies are listed 'Best First'.
Re(dmm): Trojan Horse? (taint mode)
by dmmiller2k (Chaplain) on Nov 28, 2001 at 01:21 UTC
    The author warns that a string like "$a" does variable interpolation. No surprise there. Then he say's "But you now know that "a" can be replaced ba a block as long as it returns a reference to a scalar..." and so we should be worried about someone filling a variable with {system('/bin/rm -rf /*')} and maybe doing 'bad things' to us.

    In my humble opinion, by his statement, "a" can be replaced, the original author may be discussing literally replacing the letter 'a' in the expression, "$a", with an actual (curly brace-delimited) block of code; in other words, changing the expression (quotes and all), "$a" to the different other expression, "${system('/bin/rm -rf /*')}", not necessarily assigning such a string as "{system('/bin/rm -rf /*')}", to the variable, $a and interpolating that.

    I by no means intend, by posting this reply, to minimize the importance of the interpolation discussions. Nor is it my purpose to cast a pall on any of the extemely pertinant, valid points made in any of those threads.

    However, the questions being discussed do not seem to me to be addressing the behavior described (as I read it) by the original author (not that it was especially well written). Perhaps all is right with the world and interpolation is, in fact, predictable.


    You can give a man a fish and feed him for a day ...
    Or, you can teach him to fish and feed him for a lifetime
      The only problem with that interpretation is that it doesn't match the "Moral of the Story" (which is "Be very careful of strings that you get from untrusted sources.") Shooting yourself in the foot that way has nothing to do with strings from untrusted sources. The disconnect is as strong as if it had said:
      Look at this troublesome code:
      1 while fork();

      Moral of the Story: Don't trust external data sources.

      Both pieces are true (fork bombs are bad, external data shouldn't be trusted) but the jump from one to the other is unclear and misleading. It implies that external data can cause unexpected fork bombs, but it doesn't actually demonstrating how such a thing might happen.


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://127371]
[Corion]: A good morning and weekstart to you too, Discipulus!

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (5)
As of 2018-06-25 07:16 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (126 votes). Check out past polls.