in reply to RE: Warning our Fellow Monks
in thread Warning our Fellow Monks

Would a regular expression around the query string solve the problem?
Basically, what a regex does to untaint a variable is to ensure that only valid characters are in the variable. The variable in question, in this example, is $siteinfo[1]. Unfortunately, it's very, very difficult to find an appropriate regex that can perfectly secure user-supplied data that is passed to the shell. What I would probably do in this case is creates a hash that has the user data as the key and the hash value as the actual file to be opened. I say "probably" because if you have hundreds of files that the user could open, you would want to take a different solution.
my %files = ( colors => 'colors.dat', tests => 'test.txt', names => 'names.dat', bribes => 'politicians.txt' ); open IN, "<$filepath/$files{$siteinfo[1]}" or someErrorRoutine( "Can't open $filepath/$siteinfo[1] for reading: +$!" );
In the above example, the user data is used to pull a value from a hash. Since you have created those hash values, you know they are safe. If the hash value doesn't exist, then someErrorRoutine() is called. Depending upon how your site is set up, you might want someErrorRoutine to log the details of the failure. The key point to remember here is that user data never gets close to the shell (and that you should always check to see if your open statement failed).

Also, taint checking should still be used here. The following regex is interesting to me:

$siteinfo[1] =~ /^[^.]+/(\w+\.\w+)$/ or someErrorRoutine( "Regex failed" ); my $fileToOpen = $1; # $fileToOpen untainted
In this case, we are making sure that there are NO periods prior to the final slash and only one period in the actual filename. Note that the error subroutine is called on failure. If it's not and that fails, $1 might contain an undesireable value that gets assigned to $fileToOpen.

The Moral: When untainting data, make sure you check for failure of your regex to match.

For a little more information about exploits like this, read this article (thanks to tilly for that link).


Join the Perlmonks Setiathome Group or just go the the link and check out our stats.