Loading ...
Sorry, an error occurred while loading the content.

Re: [PBML] GPL Perl Blog

Expand Messages
  • Jeff Pinyan
    ... That means you re using open() in an insecure manner. It would have helped if you showed us line 136, but I m guessing you re opening a file and the
    Message 1 of 4 , Mar 1, 2008
    • 0 Attachment
      On Sat, Mar 1, 2008 at 8:31 AM, David Francos <yo.orco@...> wrote:
      >
      > I'm working on a perl blog. I've published it on sourceforge. It's GPL'd
      > but... it just don't work.
      > I got an error while editing:
      > Insecure dependency in open while running with -T switch
      > at /usr/lib/cgi-bin/index.pl line 136.

      That means you're using open() in an insecure manner. It would have helped
      if you showed us line 136, but I'm guessing you're opening a file and the
      filename is gotten from somewhere outside your program. In other words,
      it's tainted! See *perldoc perlsec* for more details, or even Google the
      error message ("Insecure dependency in open while running with -T switch").

      > And... the main thing is I'm rewriting the preferences_editor.pl script,
      > something like this:
      >
      > $preference1_explanation="this is the first";
      > @list=('preference1','preference2');
      > foreach $item(@list){
      > print $item_explanation;
      > }
      > But meaning that with $item_explanation will get
      > $preference1_explanation.

      That's a "soft reference", which are icky. You want a hash, really.

      my %explanation = (
      preference1 => "message",
      preference2 => "message",
      preference3 => "blah blah",
      # ...
      );

      my @list = ('preference1', 'preference2');

      foreach my $item (@list) {
      print $explanation{$item};
      }

      >
      > --
      > http://thexayon.wordpress.com
      >
      > Que la fuerza os acompañe.
      >
      > -----BEGIN GEEK CODE BLOCK-----
      > Version: 3.12
      > GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
      > O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
      > G+ e- h++ r+++ y++++
      > ------END GEEK CODE BLOCK------
      >
      > --XayOn--
      >
      > Linux registered user #446872
      >
      > [Non-text portions of this message have been removed]
      >
      >



      --
      [Mary said,] "Do whatever he tells you." ~ John 2:5
      The Cross Reference - http://thecrossreference.blogspot.com/
      Nos autem praedicamus Christum crucifixum (1 Cor 1:23)


      [Non-text portions of this message have been removed]
    • David Francos
      ... I m Sorry, yes that was what I tough but I didn t get what I was looking for on google, next time I ll remember perlsec. The code in question is tainted:
      Message 2 of 4 , Mar 1, 2008
      • 0 Attachment
        On sáb, 2008-03-01 at 09:36 -0500, Jeff Pinyan wrote:
        > On Sat, Mar 1, 2008 at 8:31 AM, David Francos <yo.orco@...>
        > wrote:
        > >
        > > I'm working on a perl blog. I've published it on sourceforge. It's
        > GPL'd
        > > but... it just don't work.
        > > I got an error while editing:
        > > Insecure dependency in open while running with -T switch
        > > at /usr/lib/cgi-bin/index.pl line 136.
        >
        > That means you're using open() in an insecure manner. It would have
        > helped
        > if you showed us line 136, but I'm guessing you're opening a file and
        > the
        > filename is gotten from somewhere outside your program. In other
        > words,
        > it's tainted! See *perldoc perlsec* for more details, or even Google
        > the
        > error message ("Insecure dependency in open while running with -T
        > switch").
        I'm Sorry, yes that was what I tough but I didn't get what I was looking
        for on google, next time I'll remember perlsec.
        The code in question is tainted: $file=$cgi->param('newid'); --> not
        exactly, its $newpath/$newid and newid is filtered to remove "../" from
        it, and I've tought on just remove everything but numbers, or give an
        error if something else than a number is given (newid is always a
        number)

        > > And... the main thing is I'm rewriting the preferences_editor.pl
        > script,
        > > something like this:
        > >
        > > $preference1_explanation="this is the first";
        > > @list=('preference1','preference2');
        > > foreach $item(@list){
        > > print $item_explanation;
        > > }
        > > But meaning that with $item_explanation will get
        > > $preference1_explanation.
        >
        > That's a "soft reference", which are icky. You want a hash, really.
        >
        > my %explanation = (
        > preference1 => "message",
        > preference2 => "message",
        > preference3 => "blah blah",
        > # ...
        > );
        >
        > my @list = ('preference1', 'preference2');
        >
        > foreach my $item (@list) {
        > print $explanation{$item};
        > }

        That was exactly what I was looking for, never tough on that, instead of
        modifying the main script, modify the preferences one. (explanations and
        so on are stored in different files, this way I pseudo-localize it with
        extensions like .en .es and so on)
        Thanks a lot


        --
        http://thexayon.wordpress.com

        Que la fuerza os acompañe.

        -----BEGIN GEEK CODE BLOCK-----
        Version: 3.12
        GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
        O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
        G+ e- h++ r+++ y++++
        ------END GEEK CODE BLOCK------

        --XayOn--

        Linux registered user #446872


        [Non-text portions of this message have been removed]
      • Jeff Pinyan
        ... Untainting isn t a matter of removing the bad, it s a matter of extracting the good. my $file = $cgi- param( newid ); # $file is tainted because it comes
        Message 3 of 4 , Mar 1, 2008
        • 0 Attachment
          On Sat, Mar 1, 2008 at 10:41 AM, David Francos <yo.orco@...> wrote:
          > I'm Sorry, yes that was what I tough but I didn't get what I was looking
          > for on google, next time I'll remember perlsec.
          > The code in question is tainted: $file=$cgi->param('newid'); --> not
          > exactly, its $newpath/$newid and newid is filtered to remove "../" from
          > it, and I've tought on just remove everything but numbers, or give an
          > error if something else than a number is given (newid is always a
          > number)

          Untainting isn't a matter of removing the bad, it's a matter of extracting
          the good.

          my $file = $cgi->param('newid'); # $file is tainted because it comes from
          a HTTP query

          To untaint $file, you must do more than remove what you don't want:

          # remove all characters that aren't lowercase letters...
          $file =~ s/[^a-z]+//g; # $file is STILL tainted!

          Instead, you must extract what is ok:

          # if there are one or more lowercase letters, use them as $file's value
          if ($file =~ /([a-z]+)/) {
          $file = $1;
          }
          else {
          # complain somehow
          die "Invalid value for '$file': must contain lowercase letters";
          }

          In your case, you would want to do this:

          my ($file) = $cgi->param('newid') =~ /(\d+)/;

          If $file is *undef* after that, then *newid* had a bad value in it.

          --
          [Mary said,] "Do whatever he tells you." ~ John 2:5
          The Cross Reference - http://thecrossreference.blogspot.com/
          Nos autem praedicamus Christum crucifixum (1 Cor 1:23)


          [Non-text portions of this message have been removed]
        Your message has been successfully submitted and would be delivered to recipients shortly.