Front page | perl.perl5.porters |
Postings from October 2003
"perl-5.8.0@ton.iguana.be (via RT)" <perlbug-followup@perl.org> wrote:
:I was experimenting with an event-driven setup emulating
:multiple concurrent CGI programs. To make the environments look
:more "normal", I was doing local *ENV=$ref_to_the_current_cgi_env. And
:as usual I used the -T option to protect myself from carelessness.
:However, when I did a careless external call, I didn't get an error.
:The following demonstrates the essence:
:
:perl -Twle '%a=(a=>4, b=>5); *ENV=\%a; system("echo unsafe")'
:unsafe
:
:while I expected what happens for this code:
:perl -Twle 'system("echo unsafe")'
:Insecure $ENV{PATH} while running with -T switch at -e line 1.
:
:So the system() safety checks are done against %ENV instead of
:against the real environment. But the actual path search will
:happen against the real environment. That's insecure.
Ouch. I note that also if the new %ENV includes a PATH I get a
coredump instead:
perl -Twe '%a=(PATH=>"util"); *ENV=\%a; system("echo unsafe")'
Segmentation fault (core dumped)
zen%
#0 Perl_mg_find (sv=0x814dee0, type=101) at mg.c:327
#1 0x081129f3 in Perl_taint_env () at taint.c:116
#2 0x080f96a7 in Perl_pp_system () at pp_sys.c:4076
[..]
I believe this is happening because mg_find() assumes it will never
be called with an SV that isn't magical, and taint_env() assumes
that anything pulled out of %ENV will always have magic attached.
The main question I think is what C< *ENV = \%myenv > should mean:
either it should act to replace the environment or not, and the
rest of the core should act appropriately either way. I think in
principle it would be most useful for it to replace the environment,
but I accept that that involves a lot of extra code and could also
make C< *ENV = \%myenv > unexpectedly slow. This implies that eg
C< local %ENV = ( PATH => $path ) > should also work.
(Hmm, can we even tell? C< *ENV = \*A; *A = \%myenv > may make
things tricky.)
Hugo
Thread Previous
|
Thread Next