Front page | perl.perl5.porters |
Postings from October 2003
In article <20031027115225.7c21a92c.rgarciasuarez@_ree._r>,
Rafael Garcia-Suarez <rgarciasuarez@free.fr> writes:
> With the patch below, I have these results :
>
> $ ./perl -Twle '%a=(a=>4, b=>5); *ENV=\%a; system("echo unsafe")'
> %ENV is aliased to another variable while running with -T switch at -e line 1.
>
> $ ./perl -Twle '%a=(a=>4, b=>5); *ENV=*a; system("echo unsafe")'
> %ENV is aliased to %a while running with -T switch at -e line 1.
>
> i.e. when doing a TAINT_ENV check, immediately croak if %ENV is no
> longer referring to the environment. This early failure approach
> solves the security problem.
>
> The behaviour of perl is not changed when not in -T or -t mode : i.e.
> aliasing the *ENV glob works like regular glob aliasing.
>
> If no objections or improvement proposals, I'll commit this.
>
If I understand correctly, the croak happens not on the localization
of ENV, but when the system() tries to use it ?
That sounds fine for my library. It fixes the security hole, I can still
fool CGI.pm with a fake env, and if the user tries to do a
system/exec/qr during that time, he will get an error (I wasn't too sure
about the proper behaviour for that last case anyways. The real PATH
etc. will in fact have been set to safe values, but the user maybe
expected his $ENV{PATH}=... to actually do something)
Thread Previous
|
Thread Next