[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]

[perl #2783] Security of ARGV using 2-argument open - It's a feature

From: "Paul Fenwick via RT" <perlbug-followup@perl.org>
Reply-To: perlbug-followup@perl.org
Cc: perl5-porters@perl.org
Date: Wed, 02 Jul 2008 00:33:28 -0700
Message-ID: <rt-3.6.HEAD-27577-1214984004-679.2783-15-0@perl.org>

Raising this bug from the dead so we can lay it to rest at last.

The original bug report reads:

> There's a booby trap when magic open (i.e. initial/final special
> characters like < > |) is used in conjunction with <>.    Suppose
> some devious person has left around a file such as "| rm -rf *;".

Yes, <> using 2-argument open just contain a nasty surprise.  I don't
like it either.  However I believe it's considered a feature, and I've
certainly seen a few tutorials, as well as working code that delights in
the ability to write:

   myprog.pl log.0 log.1 'gunzip -c log.2.gz |'

and have <> work its magic.

This means I don't think we'll see <> changing to using 3-argument open
any time soon.  Even if it did, all the existing code out there using
older Perls would still be vulnerable _anyway_, as well as the potential
for some existing code that uses this "feature" to break when Perl is
upgraded.

Luckily, there's a reasonably good work-around, and that's to use taint
mode.  Because command-line arguments are always tainted, but Perl
doesn't check for taint when opening a file for *reading* (but it does
for writing and for pipes), starting Perl in taint mode practically
eliminates the problem of code injection attacks via command-line
arguments and <>.

If the program didn't intend to execute external commands to begin with,
then there should be no changes when the program uses taint.  If it
*did* intend to execute external commands, but we're in an environment
where the filesystem itself may be considered hostile, then we
definitely want to be using taint anyway.  ;)

One can still potentially use the arcane invocation '<&=0' to dup STDIN
(or another filehandle) without taint checks, but that's much less
serious than executing arbitrary code.

As such, I'm resolving this ticket and marking it as not-a-bug.

Cheerio,

   Paul

-- 
Paul Fenwick <pjf@perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681

Follow-Ups from:: "Joshua ben Jore" <twists@gmail.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]