develooper Front page | perl.perl5.porters | Postings from February 2000

tainting oddities (some doc, some code)

Thread Next
Tom Christiansen
February 26, 2000 07:46
tainting oddities (some doc, some code)
Message ID:
pp_sys.c has this:

	OP *result;
	tryAMAGICunTARGET(iter, -1);


    #ifndef VMS
	if (PL_tainting) {
	     * The external globbing program may use things we can't control,
	     * so for security reasons we must assume the worst.
	    taint_proper(PL_no_security, "glob");
    #endif /* !VMS */

And perlsec has this:

    @files = <*.c>;             # Always insecure (uses csh)
    @files = glob('*.c');       # Always insecure (uses csh)

At the very least, the comments are misleading.  glob() no longer
uses an external program, so the "Always" part is wrong.  Likewise,
the pp_sys.c comment is problematic: what if you're not using
an external globbing?  

The answer is that at some level, it comes down to readdir, which
is now tainted.  Here's the 5.005 perldelta entry:

    =head2 Security fixes may affect compatibility

    A few taint leaks and taint omissions have been corrected.  This
    may lead to "failure" of scripts that used to work with older
    versions.  Compiling with -DINCOMPLETE_TAINTS provides a perl
    with minimal amounts of changes to the tainting behavior.  But
    note that the resulting perl will have known insecurities.

So, in theory this should apply to globbing, too.  And in fact, it
does, as you notice if you you look at Glob.xs.  It's just not for
the reasons given in the previously cited comments, which should be

It also occurs to me that readdir() doesn't allow untainting of the
handle.  I'd kinda expect that since you can untaint a filehandle,
you should be able to do likewise on a directory handle.

Other tainting oddities: 

 *  msgrcv() and msgget() (and probably any the other revelant 
    SysV IPC functions), even though recv() does.  This seems 

 *  While the pw_gecos is tainted because it's in theory mungible,
    the pw_shell is not.  However, on some systems, you are allowed
    to change your shell to something not in /etc/shells.


Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About