develooper Front page | perl.perl5.porters | Postings from February 2000

README: three important security proposals

Thread Previous | Thread Next
From:
Tom Christiansen
Date:
February 7, 2000 05:57
Subject:
README: three important security proposals
Message ID:
4744.949931854@chthon

------- Forwarded Message

Date:          Mon, 07 Feb 2000 06:56:37 MST
From:          Tom Christiansen <tchrist@chthon>
Subject:       Re: Perl's alleged tempfile vulnerabilities 
To:            Lupe Christoph <lupe@lupe-christoph.de>
Cc:            Tom Christiansen <tchrist@CHTHON.PERL.COM>,
	       BUGTRAQ@SECURITYFOCUS.COM, tchrist
In-Reply-To:   Message from Lupe Christoph <lupe@lupe-christoph.de> 
	       of "Sun, 06 Feb 2000 10:35:17 +0100." <20000206103516.O12877@alany
	        a.lupe-christoph.de> 

>Both sfio97 and sfio98 have (except for one teensy change) the same
>sftmp.c. sftmp.c has this file creation code:
>
[randomization stuff deleted]
>
>  if((fd = open(file,O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY,SF_CREATMODE)) >= 0)

Thanks for that sniplet!

The real problems as I perceive them are the following, ranked
by seriousness:

 1) ISSUE:  People think that open(TMP, ">/tmp/foo.$$") is fine.

    FIX:    Point out in the perlfunc/open doc that this is not
            secure, especially in directories anyone can delete
            anything from.  Refer readers to a new section in the
            perlsec manpage on secure Perl programming that would
            cover diverse non-trivial and non-obvious tmpfile issues.


 2) ISSUE:  By relying upon native semantics for tmpfile and tmpnam
            (and making them more than somewhat hard-to-find), Perl
            is at the mercy of each platform's peculiar problems.
            For example, on SunOS and SysVr3-derived code, tmpfile
            appears to use fopen(path, "w+"), which is problematic.

    FIX:    We should include in Perl implementations for these
            routines whose provenance we can guarantee, irrespective
            of platform.  That way we *know* what we're getting.
            This is like the matter of using our own globbing code
            instead of calling out to a native executable.  The
            fixes suggested for issue #1 should satisfy the "hard
            to find" part here.


 3) ISSUE:  There exists no standard equivalent in Perl to the libc
            functions mktemp(3), mkstemp(3), mkstemps(3), or
            mkdtemp(3).  These functions all receive as an argument
	    a mutable template string, thus permitting the program
	    to specify the directory in which the temp files shall
	    occur, and the general format of their names.

    FIX:    Add some or all of these templatizing functions to the
            standard Perl distribution.  Define tmpfile() in terms
            of mkstemp(), with an unlink().  These can all go in
            one module, not scattered about as IO::File::tmpfile()
            and POSIX::tmpnam() currently are.  Although there is
            a CPAN module for some of this, that module is buggy.
            Include doc fixes per issue #1.

- --tom

------- End of Forwarded Message


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About