develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
David Golden
Date:
October 2, 2012 06:13
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CAOeq1c-pVzLtCfHWfhHPWKi_EohHfX9b7E=tc2mHTw2zCO1ckw@mail.gmail.com
On Tue, Oct 2, 2012 at 8:36 AM, Tom Christiansen <tchrist@perl.com> wrote:
>
> Perhaps there exists some new expectation of running always in taint
> mode.  I don't know.

The only thing I can think of is related to the comment of hash-keys
not being taint checked.  Imagine some poorly implemented web server
that dumps query parameters into %ENV.  E.g. $ENV{PARAM1} holds the
value submitted for PARAM1.  Then, someone could submit a GET request
with a parameter key that contains malicious content and that would
not be flagged as tainted.

I have no idea what someone could do to exploit such a thing -- or
rather, I could imagine sufficiently poorly written code that took
environment *keys* and required them or passed them to system or
whatever, but in my mind that clearly falls into the "shoot yourself
in the foot" territory.

I can't think of a good reason for "\0" to be embedded in the middle
of strings handed off to the system, so I'm fine with a change there
if that's deemed a "good" security practice.  (Whether it's security
theater or not.)

David



-- 
David Golden <xdg@xdg.me>
Take back your inbox! → http://www.bunchmail.com/
Twitter/IRC: @xdg

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About