develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Taint bug (was: Creative and *routine* use of so-called "magic" ARGV (was [perl #2783] Security of ARGV using 2-argument open))

From:
Ed Avis
Date:
July 29, 2008 16:30
Subject:
Re: Taint bug (was: Creative and *routine* use of so-called "magic" ARGV (was [perl #2783] Security of ARGV using 2-argument open))
Message ID:
loom.20080729T232121-391@post.gmane.org
Tom Christiansen <tchrist <at> perl.com> writes:

>To my mind, it's a bug that while(<>) in taint mode doesn't
>realize that a raw @ARGV from the command line is unsafe.

FWIW, I agree.  Since currently <> uses unsafe open, taint should flag it.  At
the moment you get no error, until one of the arguments happens to contain a
shell metacharacter, at which point the program dies with a taint error.  It
would be better to die for all cases because then the programmer has a chance to
spot the problem sooner.

But, again, this might prompt you to ask why just 'reading the files' should
need taint checking.  After all, there is no taint error for

    #!/usr/bin/perl -T
    use warnings;
    use strict;
    my $filename = <STDIN>;
    chomp $filename;
    open my $fh, '<', $filename or die $!;
    close $fh or die $!;

It executes just fine, and that is entirely correct.  The open() call is safe,
in that no matter what filename it is passed it will do what it says on the tin
and try to open a file of that name for reading.

Taint checking and safe, predictable I/O commands are orthogonal.  If you have a
command like 3-arg open which doesn't rely on magic characters interpolated into
a string to change its behaviour, then taint checking is not needed.  Only
inherently unsafe (powerful, but potentially dangerous) operations like eval
"$code", /$regexp/, open($fh, "$magic_string") need the extra check. 

-- 
Ed Avis <eda@waniasset.com>




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About