develooper Front page | perl.perl5.porters | Postings from October 2003

Re: [perl #24291] Taint checking against the wrong environment

Thread Previous | Thread Next
October 26, 2003 03:12
Re: [perl #24291] Taint checking against the wrong environment
Message ID:
" (via RT)" <> wrote:
:I was experimenting with an event-driven setup emulating
:multiple concurrent CGI programs. To make the environments look
:more "normal", I was doing local *ENV=$ref_to_the_current_cgi_env. And
:as usual I used the -T option to protect myself from carelessness.
:However, when I did a careless external call, I didn't get an error.
:The following demonstrates the essence:
:perl -Twle '%a=(a=>4, b=>5); *ENV=\%a; system("echo unsafe")'
:while I expected what happens for this code:
:perl -Twle 'system("echo unsafe")'
:Insecure $ENV{PATH} while running with -T switch at -e line 1.
:So the system() safety checks are done against %ENV instead of
:against the real environment. But the actual path search will
:happen against the real environment. That's insecure.

Ouch. I note that also if the new %ENV includes a PATH I get a
coredump instead:

perl -Twe '%a=(PATH=>"util"); *ENV=\%a; system("echo unsafe")'
Segmentation fault (core dumped)
#0  Perl_mg_find (sv=0x814dee0, type=101) at mg.c:327
#1  0x081129f3 in Perl_taint_env () at taint.c:116
#2  0x080f96a7 in Perl_pp_system () at pp_sys.c:4076

I believe this is happening because mg_find() assumes it will never
be called with an SV that isn't magical, and taint_env() assumes
that anything pulled out of %ENV will always have magic attached.

The main question I think is what C< *ENV = \%myenv > should mean:
either it should act to replace the environment or not, and the
rest of the core should act appropriately either way. I think in
principle it would be most useful for it to replace the environment,
but I accept that that involves a lot of extra code and could also
make C< *ENV = \%myenv > unexpectedly slow. This implies that eg
C< local %ENV = ( PATH => $path ) > should also work.

(Hmm, can we even tell? C< *ENV = \*A; *A = \%myenv > may make
things tricky.)


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About