Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Re: Vulnerabilities when editing untrusted code... (Komodo)

by mtve (Deacon)
on Jul 01, 2010 at 09:50 UTC ( #847484=note: print w/replies, xml ) Need Help??

in reply to Vulnerabilities when editing untrusted code... (Komodo)

your approach wouldn't help:

exit; ''=~('(?{B'.'EGIN{print "owned"}})')

see also Acme::EyeDrops

Replies are listed 'Best First'.
Re^2: Vulnerabilities when editing untrusted code... (compiletime injection in regex)
by LanX (Sage) on Oct 06, 2021 at 14:46 UTC
    looks like this has been taken care of!

    D:\tmp\pm>type exit; '' =~ ('(?{B'.'EGIN{die "owned"}})'); D:\tmp\pm>perl -c Eval-group not allowed at runtime, use re 'eval' in regex m/(?{BEGIN{d +ie "owned" }})/ at line 3. D:\tmp\pm>perl -v This is perl 5, version 32, subversion 1 (v5.32.1) built for MSWin32-x +64-multi-thread

    Tho I don't understand the message. Why "runtime"???


    found this and mailed Reini asking for insight. :)

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

      OK the term "eval-group" seems to refer to an optimization which concats 2 strings

      '' =~ ('STRING1'.'STRING2');

      but if you don't bother splitting up the BEGIN you can still inject code at compiletime :(

      D:\tmp\pm>type exit; '' =~ m/(?{ BEGIN{ die "owned"} })/ ; D:\tmp\pm>perl -c owned at line 2. BEGIN failed--compilation aborted at line 2. D:\tmp\pm>

      Cheers Rolf
      (addicted to the Perl Programming Language :)
      Wikisyntax for the Monastery

      ) and variable interpolation in general see re#'eval'-mode

Re^2: Vulnerabilities when editing untrusted code... (Komodo)
by LanX (Sage) on Jul 01, 2010 at 11:05 UTC

    lanx@nc10-ubuntu:~$ cat >/tmp/ exit; ''=~('(?{B'.'EGIN{print "owned\n"}})') lanx@nc10-ubuntu:~$ perl /tmp/ owned lanx@nc10-ubuntu:~$ perl -c /tmp/ /tmp/ syntax OK

    A syntax check doesn't execute your code!


    corrected test:

    lanx@nc10-ubuntu:/tmp$ cat > exit; ''=~('(?{B'.'EGIN{print "owned"}})') lanx@nc10-ubuntu:/tmp$ cat exit; ''=~('(?{B'.'EGIN{print "owned"}})') lanx@nc10-ubuntu:/tmp$ perl -c syntax OK ownedlanx@nc10-ubuntu:/tmp$

    WOW! 8(

    Cheers Rolf

      well, it actually executes for me:
      $ perl -c owned syntax OK $ perl -MO=Deparse owned exit; '' =~ /(?{BEGIN{print "owned\n"}})/; syntax OK $ perl --version This is perl, v5.10.0 built for x86_64-linux-gnu-thread-multi Copyright 1987-2007, Larry Wall Perl may be copied only under the terms of either the Artistic License + or the GNU General Public License, which may be found in the Perl 5 source ki +t. Complete documentation for Perl, including FAQ lists, should be found +on this system using "man perl" or "perldoc perl". If you have access to + the Internet, point your browser at, the Perl Home Pa +ge. $

        my fault, apparently I oversaw the "owend" text before the prompt.

        Thats REALLY strange... 8(

        Cheers Rolf

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://847484]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (6)
As of 2022-05-24 12:35 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (82 votes). Check out past polls.