taint problems 
Author Message
 taint problems

Hi,

The following script results in an 'insecure dependency in open...'
error message

#!/usr/local/bin/perl -wT

# untaint $ENV{PATH} for use with qmail
$ENV{PATH} = '/var/qmail/bin';
### tried replacing this with
### $ENV{PATH} = "/var/qmail/bin;/music/cgi-bin/online";
### but still no luck


<snip>
        if(!open(FILE, ">online/$username"))            ##### offending
line
        {
                &q_head;
                print "Error: Unable to open online file.<P>";
                &q_exit;
        }
<snip>

##############################

online/ is a folder within the script's folder.

The perl cookbook gives the tainted open() example using $ARGV[0] saying
this tainted because it comes from outside the script.   It also
mentions that I can use open() safely if I only open a file for reading
- I have to open it for writing.  $username is also picked up from
within the script by reading the value from a database.

Any solutions to this?



Sun, 16 May 2004 14:45:18 GMT  
 taint problems

Quote:

> Hi,

> The following script results in an 'insecure dependency in open...'
> error message

> #!/usr/local/bin/perl -wT

> # untaint $ENV{PATH} for use with qmail
> $ENV{PATH} = '/var/qmail/bin';
> ### tried replacing this with
> ### $ENV{PATH} = "/var/qmail/bin;/music/cgi-bin/online";
> ### but still no luck


> <snip>
>         if(!open(FILE, ">online/$username"))            ##### offending
> line
>         {
>                 &q_head;
>                 print "Error: Unable to open online file.<P>";
>                 &q_exit;
>         }
> <snip>

> ##############################

> online/ is a folder within the script's folder.

> The perl cookbook gives the tainted open() example using $ARGV[0] saying
> this tainted because it comes from outside the script.   It also
> mentions that I can use open() safely if I only open a file for reading
> - I have to open it for writing.  $username is also picked up from
> within the script by reading the value from a database.

> Any solutions to this?

I should add, the untainting of qmail works fine.


Sun, 16 May 2004 15:02:19 GMT  
 taint problems

Quote:

>         if(!open(FILE, ">online/$username"))            ##### offending
> $username is also picked up from
> within the script by reading the value from a database.

> Any solutions to this?

Have you tried untainting $username in the usual way (see
perlsec/"Laundering and Detecting Tainted Data")?

Do you know if the database interface you are claims that it returns
untainted data?  DBI, for example, returns untaineded data by default.

--
     \\   ( )
  .  _\\__[oo

 .  l___\\
  # ll  l\\
 ###LL  LL\\



Sun, 16 May 2004 20:20:37 GMT  
 taint problems

Quote:


> >         if(!open(FILE, ">online/$username"))            ##### offending

> > $username is also picked up from
> > within the script by reading the value from a database.

> > Any solutions to this?

> Have you tried untainting $username in the usual way (see
> perlsec/"Laundering and Detecting Tainted Data")?

> Do you know if the database interface you are claims that it returns
> untainted data?  DBI, for example, returns untaineded data by default.

Done - thanks for the tip

I don't know about the database (DB_File in Berkeley Environment) - I haven't
seen anything related to taintedness or not in its documentation.  It may be
that I'm able to use it as I specify its name within the perl script.  I
notice that I have to untaint, when using open() and readdir(), only the
filenames and not the data contained within.

For example, the following snippet:

<snip>
opendir(ONLINE, "online") or die "Error: cannot open ONLINE
directory</BODY></HTML>";
while ($file=readdir(ONLINE))
{
# filename ($file) is username online, content is unix time of last loading
online.cgi for that user
# refresh of online.cgi is 20 seconds, remove any files older than 30 seconds

# not interested in either . or ..
        next if(($file eq '.') || ($file eq '..'));
# untaint $file
        $file = &untaint($file);
        $filename = $dir . $file;
        open(FILE, "$filename") or die "Error: Cannot open
$filename</BODY></HTML>";
        flock(FILE, LOCK_SH);
        while(<FILE>)
        {
                chomp;
#               $_ = &untaint($_);
                $time = $_;
# we just want the first line here - none of the web profile stuff
                last;
        }
        close(FILE);
        $time += 30;

Quote:
}

closedir(ONLINE);

sub untaint
{
        if($_[0] =~ /^([\s\w]+)$/)
        {
                return $1;
        }
        else    # $_[0] is tainted
        {
                print "<BODY BGCOLOR=\"maroon\" TEXT=\"yellow\"
LINK=\"silver\" VLINK=\"silver\">";
                print "Error: Tainted data....";
                print "</BODY></HTML>";
                exit;
        }

Quote:
}

<snip>

works fine with the -T switch even though I'm using and not untainting $time
which is the first line of the file.  I'm curious why this should be so.



Mon, 17 May 2004 21:27:42 GMT  
 taint problems

Quote:
>The following script results in an 'insecure dependency in open...'
>error message

>#!/usr/local/bin/perl -wT

># untaint $ENV{PATH} for use with qmail
>$ENV{PATH} = '/var/qmail/bin';
>### tried replacing this with
>### $ENV{PATH} = "/var/qmail/bin;/music/cgi-bin/online";
>### but still no luck


><snip>
>        if(!open(FILE, ">online/$username"))            ##### offending line

...

Even though an answer was already provided, I'd like to continue this
thread, as the above example somewhat started me.

So, what is considered to be tainted -- and what is considered to be safe?

In the above, it seems that a file open is made with a relative path
name. Still, current directory has not been set (unless it was in the
<snip> part). Am I the only one to consider this as a hole in taint
checks?

While I'm at it, is the value of $0 considered tainted or safe?
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h--- r+++ y+++
"...cancel my subscription to the resurrection!" (Jim Morrison)



Wed, 19 May 2004 15:10:56 GMT  
 taint problems
On Sat, 01 Dec 2001 14:10:56 GMT,

Quote:

>>The following script results in an 'insecure dependency in open...'
>>error message

[SNIP]

Quote:
> So, what is considered to be tainted -- and what is considered to be safe?

The perlsec documentation spends quite some text on this discussion. You
do know about that documentation, don't you?

$ man perlsec
or
$ perldoc perlsec

Quote:
> In the above, it seems that a file open is made with a relative path
> name. Still, current directory has not been set (unless it was in the
><snip> part). Am I the only one to consider this as a hole in taint
> checks?

> While I'm at it, is the value of $0 considered tainted or safe?

A simple test would have told you.

$ perl -wT -e '$ENV{PATH} = qw(/usr/bin); exec $0'  
Insecure dependency in exec while running with -T switch at -e line 1.

Yep. It is.

Martien
--
                        |
Martien Verbruggen      | Make it idiot proof and someone will make a
                        | better idiot.
                        |



Wed, 19 May 2004 23:40:48 GMT  
 
 [ 6 post ] 

 Relevant Pages 

1. tainting problem using File::Path (rmtree)

2. Taint problem?

3. Tainted problem

4. modperl+perl tainting problem

5. Taint problem with BEGIN block

6. Taint problem - the plot thickens

7. Taint problem?

8. Taint problem with FindBin

9. Multiline tainting problem

10. Taint problem?

11. Troublesome taint problem

12. Still RPC/Taint problems

 

 
Powered by phpBB® Forum Software