develooper Front page | perl.perl5.porters | Postings from March 2017

[perl #123638] Perl5 Windows Command Injection Vulnerability

Thread Next
From:
bulk88 via RT
Date:
March 30, 2017 23:30
Subject:
[perl #123638] Perl5 Windows Command Injection Vulnerability
Message ID:
rt-4.0.24-19403-1490916597-1296.123638-15-0@perl.org
On Mon, 20 Mar 2017 02:37:31 -0700, davem wrote:
> I've just moved this ticket to the public queue. The remaining issue
> to be
> discussed is for win32 system(): it will sometimes fallback to using
> the
> shell, even with individual arguments. It's been proposed that this
> behaviour
> should be deprecated:
> 
> 
> +=item system(LIST) fallback to shell deprecated
> +
> +(W deprecated) C<system(LIST)> on Win32 currently falls back to the
> +shell if the supplied program name cannot be found.
> +
> +The Win32 API to create a new process only accepts a single string
> for
> +the process arguments, so to emulate the behaviour on POSIX systems,
> +perl quotes the arguments in the same way as most software on Win32.
> +
> +Unfortunately the Win32 shell accepts arguments escaped in a
> different
> +way to most other Win32 software, which can be used by an attacker.
> 
> Can anyone  see a reason not to do this?
> [NB: I am just the messenger; I have no opinion on this]


This code in miniperl uses shell execute to run a builtin on Win32.

https://perl5.git.perl.org/perl.git/blob/28118845adbde9f823d609bb19abbbf8d1ffee47:/dist/PathTools/Cwd.pm#l625

-- 
bulk88 ~ bulk88 at hotmail.com

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=123638

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About