develooper Front page | perl.perl5.porters | Postings from July 2009

eliminating poisoned null attacks, feedback please

Thread Next
From:
David Taylor
Date:
July 29, 2009 08:46
Subject:
eliminating poisoned null attacks, feedback please
Message ID:
3ed4daa00907290846w30110730re8ff6633413a4cf7@mail.gmail.com
As discussed at http://www.perlmonks.org/index.pl?node_id=782306 I'm
working up a patch to eliminate poisoned null attacks against Perl
scripts.  I'm learning my way around the Perl internals as i go, and
I'm posting this early proof of concept draft to get some feedback.
So far I've only done the backtick opcode, I'm planning on pluming in
similar checks near to the TAINT_PROPER calls for other things like
stat and open and so on.

* In principle, is there a chance of such a patch getting committed
once I've learned enough (and had enough help) to put together a good
quality implementation (and written tests and so on) or would I be
wasting my time ?

* Any suggestions of better ways to attack the problem ?



--- perl-5.10.0-orig/pp_sys.c   2007-12-18 12:47:08.000000000 +0200
+++ perl-5.10.0/pp_sys.c        2009-07-29 17:11:33.000000000 +0200
@@ -300,14 +300,34 @@
 #   define PERL_EFF_ACCESS(p,f) (S_emulate_eaccess(aTHX_ (p), (f)))
 #endif

+void
+check_poisoned_null(char *str, STRLEN len, const char * const opname)
+{
+    /* Ignore trailing NULLs. There is an old trick of appending NULLs to a
+     * filename in 2-argument open() to make it work with filenames ending
+     * in whitespace, let's not break that code.
+     */
+    while (len > 1 && str[len-1] == '\0')
+       --len;
+
+    if (strlen(str) < len) {
+       /* There's a NULL in the string - could be a poisoned NULL attack. */
+       Perl_croak(aTHX_ "embedded NULL in %s", opname);
+    }
+}
+
 PP(pp_backtick)
 {
     dVAR; dSP; dTARGET;
     PerlIO *fp;
-    const char * const tmps = POPpconstx;
+    const char * tmps;
+    STRLEN len;
     const I32 gimme = GIMME_V;
     const char *mode = "r";

+    tmps = SvPVx_const(POPs, len);
+    check_poisoned_null(tmps, len, "backtick");
+
     TAINT_PROPER("``");
     if (PL_op->op_private & OPpOPEN_IN_RAW)
        mode = "rb";

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About