Loading ...
Sorry, an error occurred while loading the content.

GPL Perl Blog

Expand Messages
  • David Francos
    I m working on a perl blog. I ve published it on sourceforge. It s GPL d but... it just don t work. I got an error while editing: Insecure dependency in open
    Message 1 of 4 , Mar 1, 2008
    • 0 Attachment
      I'm working on a perl blog. I've published it on sourceforge. It's GPL'd
      but... it just don't work.
      I got an error while editing:
      Insecure dependency in open while running with -T switch
      at /usr/lib/cgi-bin/index.pl line 136.

      And... the main thing is I'm rewriting the preferences_editor.pl script,
      something like this:

      $preference1_explanation="this is the first";
      @list=('preference1','preference2');
      foreach $item(@list){
      print $item_explanation;
      }
      But meaning that with $item_explanation will get
      $preference1_explanation.

      --
      http://thexayon.wordpress.com

      Que la fuerza os acompañe.

      -----BEGIN GEEK CODE BLOCK-----
      Version: 3.12
      GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
      O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
      G+ e- h++ r+++ y++++
      ------END GEEK CODE BLOCK------

      --XayOn--

      Linux registered user #446872


      [Non-text portions of this message have been removed]
    • Jeff Pinyan
      ... That means you re using open() in an insecure manner. It would have helped if you showed us line 136, but I m guessing you re opening a file and the
      Message 2 of 4 , Mar 1, 2008
      • 0 Attachment
        On Sat, Mar 1, 2008 at 8:31 AM, David Francos <yo.orco@...> wrote:
        >
        > I'm working on a perl blog. I've published it on sourceforge. It's GPL'd
        > but... it just don't work.
        > I got an error while editing:
        > Insecure dependency in open while running with -T switch
        > at /usr/lib/cgi-bin/index.pl line 136.

        That means you're using open() in an insecure manner. It would have helped
        if you showed us line 136, but I'm guessing you're opening a file and the
        filename is gotten from somewhere outside your program. In other words,
        it's tainted! See *perldoc perlsec* for more details, or even Google the
        error message ("Insecure dependency in open while running with -T switch").

        > And... the main thing is I'm rewriting the preferences_editor.pl script,
        > something like this:
        >
        > $preference1_explanation="this is the first";
        > @list=('preference1','preference2');
        > foreach $item(@list){
        > print $item_explanation;
        > }
        > But meaning that with $item_explanation will get
        > $preference1_explanation.

        That's a "soft reference", which are icky. You want a hash, really.

        my %explanation = (
        preference1 => "message",
        preference2 => "message",
        preference3 => "blah blah",
        # ...
        );

        my @list = ('preference1', 'preference2');

        foreach my $item (@list) {
        print $explanation{$item};
        }

        >
        > --
        > http://thexayon.wordpress.com
        >
        > Que la fuerza os acompañe.
        >
        > -----BEGIN GEEK CODE BLOCK-----
        > Version: 3.12
        > GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
        > O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
        > G+ e- h++ r+++ y++++
        > ------END GEEK CODE BLOCK------
        >
        > --XayOn--
        >
        > Linux registered user #446872
        >
        > [Non-text portions of this message have been removed]
        >
        >



        --
        [Mary said,] "Do whatever he tells you." ~ John 2:5
        The Cross Reference - http://thecrossreference.blogspot.com/
        Nos autem praedicamus Christum crucifixum (1 Cor 1:23)


        [Non-text portions of this message have been removed]
      • David Francos
        ... I m Sorry, yes that was what I tough but I didn t get what I was looking for on google, next time I ll remember perlsec. The code in question is tainted:
        Message 3 of 4 , Mar 1, 2008
        • 0 Attachment
          On sáb, 2008-03-01 at 09:36 -0500, Jeff Pinyan wrote:
          > On Sat, Mar 1, 2008 at 8:31 AM, David Francos <yo.orco@...>
          > wrote:
          > >
          > > I'm working on a perl blog. I've published it on sourceforge. It's
          > GPL'd
          > > but... it just don't work.
          > > I got an error while editing:
          > > Insecure dependency in open while running with -T switch
          > > at /usr/lib/cgi-bin/index.pl line 136.
          >
          > That means you're using open() in an insecure manner. It would have
          > helped
          > if you showed us line 136, but I'm guessing you're opening a file and
          > the
          > filename is gotten from somewhere outside your program. In other
          > words,
          > it's tainted! See *perldoc perlsec* for more details, or even Google
          > the
          > error message ("Insecure dependency in open while running with -T
          > switch").
          I'm Sorry, yes that was what I tough but I didn't get what I was looking
          for on google, next time I'll remember perlsec.
          The code in question is tainted: $file=$cgi->param('newid'); --> not
          exactly, its $newpath/$newid and newid is filtered to remove "../" from
          it, and I've tought on just remove everything but numbers, or give an
          error if something else than a number is given (newid is always a
          number)

          > > And... the main thing is I'm rewriting the preferences_editor.pl
          > script,
          > > something like this:
          > >
          > > $preference1_explanation="this is the first";
          > > @list=('preference1','preference2');
          > > foreach $item(@list){
          > > print $item_explanation;
          > > }
          > > But meaning that with $item_explanation will get
          > > $preference1_explanation.
          >
          > That's a "soft reference", which are icky. You want a hash, really.
          >
          > my %explanation = (
          > preference1 => "message",
          > preference2 => "message",
          > preference3 => "blah blah",
          > # ...
          > );
          >
          > my @list = ('preference1', 'preference2');
          >
          > foreach my $item (@list) {
          > print $explanation{$item};
          > }

          That was exactly what I was looking for, never tough on that, instead of
          modifying the main script, modify the preferences one. (explanations and
          so on are stored in different files, this way I pseudo-localize it with
          extensions like .en .es and so on)
          Thanks a lot


          --
          http://thexayon.wordpress.com

          Que la fuerza os acompañe.

          -----BEGIN GEEK CODE BLOCK-----
          Version: 3.12
          GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
          O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
          G+ e- h++ r+++ y++++
          ------END GEEK CODE BLOCK------

          --XayOn--

          Linux registered user #446872


          [Non-text portions of this message have been removed]
        • Jeff Pinyan
          ... Untainting isn t a matter of removing the bad, it s a matter of extracting the good. my $file = $cgi- param( newid ); # $file is tainted because it comes
          Message 4 of 4 , Mar 1, 2008
          • 0 Attachment
            On Sat, Mar 1, 2008 at 10:41 AM, David Francos <yo.orco@...> wrote:
            > I'm Sorry, yes that was what I tough but I didn't get what I was looking
            > for on google, next time I'll remember perlsec.
            > The code in question is tainted: $file=$cgi->param('newid'); --> not
            > exactly, its $newpath/$newid and newid is filtered to remove "../" from
            > it, and I've tought on just remove everything but numbers, or give an
            > error if something else than a number is given (newid is always a
            > number)

            Untainting isn't a matter of removing the bad, it's a matter of extracting
            the good.

            my $file = $cgi->param('newid'); # $file is tainted because it comes from
            a HTTP query

            To untaint $file, you must do more than remove what you don't want:

            # remove all characters that aren't lowercase letters...
            $file =~ s/[^a-z]+//g; # $file is STILL tainted!

            Instead, you must extract what is ok:

            # if there are one or more lowercase letters, use them as $file's value
            if ($file =~ /([a-z]+)/) {
            $file = $1;
            }
            else {
            # complain somehow
            die "Invalid value for '$file': must contain lowercase letters";
            }

            In your case, you would want to do this:

            my ($file) = $cgi->param('newid') =~ /(\d+)/;

            If $file is *undef* after that, then *newid* had a bad value in it.

            --
            [Mary said,] "Do whatever he tells you." ~ John 2:5
            The Cross Reference - http://thecrossreference.blogspot.com/
            Nos autem praedicamus Christum crucifixum (1 Cor 1:23)


            [Non-text portions of this message have been removed]
          Your message has been successfully submitted and would be delivered to recipients shortly.