develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Reini Urban
Date:
October 1, 2012 18:14
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CAHiT=DHVf+nJZ48JU5AMQmZQvicKaWPmdqTSaF-r4XqX6JZA1w@mail.gmail.com
On Mon, Oct 1, 2012 at 7:54 PM, Jan Dubois <jand@activestate.com> wrote:
>
> On 2012-10-01, at 5:11 PM, Jesse Luehrs <doy@tozt.net> wrote:
>
> Just because your patches were applied doesn't mean that they were
> *security* bugs. I agree that it's probably a bug that 'require
> "foo.pl\0bar"' sets $INC{"foo.pl\0bar"} instead of $INC{"foo.pl"}, and I
> think it probably should be fixed, but I still haven't seen any evidence
> that this is a *security* bug. There is a difference.
>
>
> Why? %INC contains the filename in exactly the same format as you
> specified it in the require statement:
>
> $ perl -E 'require "foo.pm"; /foo/ && say for keys %INC'
> foo.pm
> $ perl -E 'require "./foo.pm"; /foo/ && say for keys %INC'
> ./foo.pm
> $ perl -E 'require "../jan/foo.pm"; /foo/ && say for keys %INC'
> ../jan/foo.pm
> $ perl -E 'require "foo.pm\0bar.pm"; /foo/ && say for keys %INC'
> foo.pmbar.pm
>
> What makes the last one special, so that it needs to be "normalized",
> but the other 3 can be left as-is?  %INC is just a heuristic to try to
> prevent
> the same file from being compiled multiple times.  It is easily fooled too:
>
> $ echo 'print "hi\n"' > foo.pm
> $ perl -E 'require "foo.pm"; require "./foo.pm"; /foo/ && say for keys %INC'
> hi
> hi
> ./foo.pm
> foo.pm
>
> To me this is not a bug, just a limitation of the optimization.

Jan,
You didn't see my point.

As attacker you would choose a known name, that already exists.
Hence strict.pm\0 or any other core module. But not bareword names with ::,
since this would lead to the code path which is already checked for \0.
So vars, strict, warnings and such.
-- 
Reini Urban
http://cpanel.net/   http://www.perl-compiler.org/

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About