Front page | perl.perl5.porters |
Postings from February 2000
pp_sys.c has this:
PP(pp_glob)
{
OP *result;
tryAMAGICunTARGET(iter, -1);
ENTER;
#ifndef VMS
if (PL_tainting) {
/*
* The external globbing program may use things we can't control,
* so for security reasons we must assume the worst.
*/
TAINT;
taint_proper(PL_no_security, "glob");
}
#endif /* !VMS */
And perlsec has this:
@files = <*.c>; # Always insecure (uses csh)
@files = glob('*.c'); # Always insecure (uses csh)
At the very least, the comments are misleading. glob() no longer
uses an external program, so the "Always" part is wrong. Likewise,
the pp_sys.c comment is problematic: what if you're not using
an external globbing?
The answer is that at some level, it comes down to readdir, which
is now tainted. Here's the 5.005 perldelta entry:
=head2 Security fixes may affect compatibility
A few taint leaks and taint omissions have been corrected. This
may lead to "failure" of scripts that used to work with older
versions. Compiling with -DINCOMPLETE_TAINTS provides a perl
with minimal amounts of changes to the tainting behavior. But
note that the resulting perl will have known insecurities.
So, in theory this should apply to globbing, too. And in fact, it
does, as you notice if you you look at Glob.xs. It's just not for
the reasons given in the previously cited comments, which should be
altered.
It also occurs to me that readdir() doesn't allow untainting of the
handle. I'd kinda expect that since you can untaint a filehandle,
you should be able to do likewise on a directory handle.
Other tainting oddities:
* msgrcv() and msgget() (and probably any the other revelant
SysV IPC functions), even though recv() does. This seems
incorrect.
* While the pw_gecos is tainted because it's in theory mungible,
the pw_shell is not. However, on some systems, you are allowed
to change your shell to something not in /etc/shells.
--tom
Thread Next