develooper Front page | perl.perl5.porters | Postings from September 2005

[perl #2783] magic open of ARGV

Thread Next
From:
Steve Peters via RT
Date:
September 27, 2005 21:09
Subject:
[perl #2783] magic open of ARGV
Message ID:
rt-3.0.11-2783-121717.9.08824524474802@perl.org
> [thospel@mail.dma.be - Tue Mar 28 03:56:10 2000]:
> 
> In article <E12V7Jw-0002PL-00@ursa.cus.cam.ac.uk>,
> 	"M.J.T. Guy" <mjtg@cus.cam.ac.uk> writes:
> > No, I'm *not* trying to restart this flame war.   But it was a
"security"
> > issue, and security seems to be in fashion at the moment, and it *was*
> > left in a somewhat unsatisfactory state.
> > 
> > THe story so far, for the benefit of younger readers:
> > [ with the usual IIRC caveats  -  go to the archives if you want the
> >   real facts
> > ]
> > There's a booby trap when magic open (i.e. initial/final special
> > characters like < > |) is used in conjunction with <>.    Suppose
> > some devious person has left around a file such as "| rm -rf *;".
> > THen root's cron job comes along and does
> > 
> >            my_scan_command *
> > 
> > and ... Boom!     Here's a more innocent demonstration:
> > 
> > $ cat >'| echo Bwahahahaha'
> > hkgfjhgfhgf
> > $ perl -wne '' *
> > Bwahahahaha
> > $
> > 
> > Note that the Perl script is obviously "so simple it can't have any
> > security holes".
> > 
> > There were two proposals for fixing this: a maximal one which would
> > have banned all magic in association with <>, and a minimal one
> > (championed by Tom C) which would have made the open non-magic iff
> > a file of that name existed.   So the minimal proposal is essentially
> > backwards compatible, and loses no functionality apart from active
> > malice.
> > 
> In fact, there was a little known third proposal by yours truly (hi !):
> Turn of magic <> if the perl command line contains an explicit --
> Otherwise you are still hacked. Observe:
> 
> mkdir /tmp/a
> cd /tmp/a
> echo > '-e;print("Bwahaha\n")'
> echo foo > bar
> perl -wne '' *
> 
> Will also give you the dreaded:
> Bwahaha
> 
> So, since a security aware person has to do
> 
> perl -wne '' -- *
> 
> anyways, let that remove the magicness
> 

The flow Ton has just above seems to have been fixed.

steve@kirk:~/perl-current$ mkdir /tmp/a
steve@kirk:~/perl-current$ cd /tmp/a
steve@kirk:/tmp/a$ echo > '-e;print("Bwahaha\n")'
steve@kirk:/tmp/a$ echo foo > bar
steve@kirk:/tmp/a$ perl -wne '' *
steve@kirk:/tmp/a$ ls -ltr
total 8
-rw-r--r--  1 steve steve 1 2005-09-27 23:03 -e;print("Bwahaha\n")
-rw-r--r--  1 steve steve 4 2005-09-27 23:03 bar

Although the original flow that started this ticket still exists.

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About