Front page | perl.perl5.porters |
Postings from February 2000
Here's the code that revealed the problem. It seemed peculiar that
IO::Handle::untaint($fh) worked yet $fh->untaint didn't. Using
*$fh{IO}->untaint() as I did works, too, but at best would seem an
unsightly hack.
--tom
use strict;
use File::stat;
use Symbol 'qualify_to_ref';
use IO::Handle;
sub handle_looks_safe(*) {
my $fh = qualify_to_ref(shift, caller);
my $info = stat($fh);
return unless $info;
# owner neither superuser nor me
if (($info->uid != 0) && ($info->uid != $<)) {
return 0;
}
# check whether group or other can write file.
if ($info->mode & 022) { # if someone else can write this
return 0 unless -d _; # non-directories aren't safe
# but dirs with sticky bit (01000) are
return 0 unless $info->mode & 01000;
}
return 1;
}
for my $filename (@ARGV) {
my $fh;
unless (open($fh, $filename)) { # can't my $fh in open here!
warn "Can't open $filename: $!\n";
next;
}
if (handle_looks_safe($fh)) {
print "Handle $fh opened to $filename seems ok, untaiting.\n";
##########################
# PERL BUG: can't call $fh->untaint();
##########################
*$fh{IO}->untaint();
}
else {
print "Handle $fh opened to $filename is vulnerable.\n";
}
close $fh;
}
Thread Next