develooper Front page | perl.perl5.porters | Postings from May 2008

[perl #39821] RE: glob() should do taint checking

Thread Next
Bram via RT
May 12, 2008 10:30
[perl #39821] RE: glob() should do taint checking
Message ID:
On Thu Jul 13 08:57:33 2006, wrote:
> This is a bug report for perl from,
> generated with the help of perlbug 1.35 running under perl v5.8.7.
> -----------------------------------------------------------------
> [Please enter your report here]
> In taint mode, glob() should complain if its arguments are tainted.
> This is not because of worrying about invoking an external tcsh;
> rather, because of directory traversal exploits that aren't always
> obvious.  (Or at least, an easier mistake to make than some of the
> other things taint warns about.)
> If you construct a glob expression from user input you should make a
> decision about whether to allow / and .. (or their moral equivalents)
> to appear.  If you want to disallow directory traversal then you
> probably should match the user input against a regexp before using it;
> if you decide that you do want to allow unlimited choice of what ends
> up in the glob expression, it's probably better to explicitly make
> that choice.  So taint checking sounds about right.
> #!/usr/bin/perl -T
> use warnings;
> use strict;
> my $expr = <STDIN>;
> chomp $expr;
> my @files = glob "my_directory/$expr";
> print "@files\n";
> Here the programmer's intention was presumably for user input to match
> filenames under my_directory, but there is a directory traversal
> vulnerability because of the way the filename is pasted together.
> What the programmer should probably have done is something like
> # Be paranoid that the filename spec doesn't contain .. or similar.
> $expr =~ /^([A-Za-z0-9._*?])+$/ or die "bad glob expression $expr";
> (An alternative would be a safe version of File::Spec->catfile that
> makes sure the individual path components really are single
> components; this would be a safe way to put together the glob
> expression.  But even if catfile were changed to do this checking, I
> think glob() should still be taint-aware.)
> [Please do not change anything below this line]
> -----------------------------------------------------------------

Is there a reason why glob() doesn't do taint checking?
(Confirmed with blead the taint checking still doesn't happen)

(This bug report was initially seen as spam and then added to the perl5 
queue. I searched the archive of July 2006 but could only find this bug 
in the 'Perl5 Bug Summary' messages...)

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About