develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Tom Christiansen
Date:
October 2, 2012 05:37
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
7255.1349181382@chthon
Chip Salzenberg <rev.chip@gmail.com> wrote on Mon, 01 Oct 2012 21:51:31 PDT: 
> On Mon, Oct 1, 2012 at 1:24 PM, chromatic <chromatic@wgz.org> wrote:
>> In some modules (including core modules), you can inject arbitrary
>> code into a process by crafting the correct environment variable.
>>
>> Sure, you have problems if I'm able to modify your environment
>> variables, but how often do you audit your environment variables to
>> see if I can exploit your Perl?

> Shirley you can't be serious.  Environment variable control is
> fundamental, going back to the early days of Unix and exploits
> involving PATH and IFS .  You may as well ask whether we sanitize or
> escape user data to avoid XSS.

I have to admit, I'm pretty confused by this myself.  If you do
not have control over your environment, then it is close to trivial
to reset variables like PERL5LIB or PERL5OPT to something that allows
for execution of arbitrary user-supplied code, simply by putting your
own version of something like strict.pm out there.  How this should be
somehow a different class of "problem", I do not understand.  It doesn't
seem like it to me.

Perhaps there exists some new expectation of running always in taint 
mode.  I don't know.  

--tom

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About