On Mon, 2009-08-24 at 14:46 +0200, Rob Coops wrote:
> On Mon, Aug 24, 2009 at 2:17 PM, Tim Bowden <[email protected]>wrote:
>
> > #!/usr/bin/perl -wT
> > use strict;
> >
> > my $filename = shift @ARGV;
> >
> > if (-f $filename){
> > open OUT, "> $filename.new" or die "can't open $filename.new: $!";
> > print OUT "are we safe?\n";
> > close OUT;
> > }
> >
> > This dies with "Insecure dependency in open while running with -T
> > switch" as expected. I'd like to know if having passed the -f test, is
> > is safe to do no other checking on the file name if all I'm going to use
> > it for is to append a new extension on the file name (in addition to any
> > extension that may already be there)? Would that be safe on all (or
> > any) platforms? Are there any other checks I should be doing on the
> > file name before untainting it?
> >
> > Thanks,
> > Tim Bowden
> >
> >
> > --
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> > http://learn.perl.org/
> >
> >
> > Hi Tim,
<snip>
> In your case where you run the script from a command line you will still
> want to make sure that a user is not for instance printing a socket or some
> part of the memory.
The -f test returns true if the argument is a 'regular' file, and false
if it is not a regular file. I guess what I'm really asking is what
exactly constitutes a regular file?
> I could quite possibly send you a string that will not
> fail your test, but will also execute a very bad command.
That would be very interesting to see. What sort of file would be
'regular' but still do something very bad?
> (sql injection
> attacks are based on this very principle)
> The fact that your test passed does not mean that your string is safe it
> just means that what ever the -f $filename command read as returned true.
>
> I am no hacker and have not tried this but imagine a command like this:
> scriptname.pl 'test.txt && exec("a very bad command")'
>
> This (the quotes make the whole thing including the spaces a single argument
> to your program) would pass your test without any issues it would also cause
> serious harm to your system especially if the script is executed with
> different rights then the user who is typing this command (sudo for
> instance).
Except that 'test.txt && exec("a very bad command")' (suitably adjusted
for filenames & command) doesn't pass the -f test.
>
> Taint basically wants you to check with a regular expression every bit of
> data that comes into your script from an untrusted source like the evil
> users out there. Once that is done you should use further testing like your
> -f (is it a file) checking to make sure that you are dealing with useful
> data.
>
> Regards,
>
> Rob
Regards,
Tim Bowden
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
http://learn.perl.org/
