Loading ...
Sorry, an error occurred while loading the content.

Re: [PBML] GPL Perl Blog

Expand Messages
  • David Francos
    ... I m Sorry, yes that was what I tough but I didn t get what I was looking for on google, next time I ll remember perlsec. The code in question is tainted:
    Message 1 of 4 , Mar 1, 2008
    • 0 Attachment
      On sáb, 2008-03-01 at 09:36 -0500, Jeff Pinyan wrote:
      > On Sat, Mar 1, 2008 at 8:31 AM, David Francos <yo.orco@...>
      > wrote:
      > >
      > > I'm working on a perl blog. I've published it on sourceforge. It's
      > GPL'd
      > > but... it just don't work.
      > > I got an error while editing:
      > > Insecure dependency in open while running with -T switch
      > > at /usr/lib/cgi-bin/index.pl line 136.
      >
      > That means you're using open() in an insecure manner. It would have
      > helped
      > if you showed us line 136, but I'm guessing you're opening a file and
      > the
      > filename is gotten from somewhere outside your program. In other
      > words,
      > it's tainted! See *perldoc perlsec* for more details, or even Google
      > the
      > error message ("Insecure dependency in open while running with -T
      > switch").
      I'm Sorry, yes that was what I tough but I didn't get what I was looking
      for on google, next time I'll remember perlsec.
      The code in question is tainted: $file=$cgi->param('newid'); --> not
      exactly, its $newpath/$newid and newid is filtered to remove "../" from
      it, and I've tought on just remove everything but numbers, or give an
      error if something else than a number is given (newid is always a
      number)

      > > And... the main thing is I'm rewriting the preferences_editor.pl
      > script,
      > > something like this:
      > >
      > > $preference1_explanation="this is the first";
      > > @list=('preference1','preference2');
      > > foreach $item(@list){
      > > print $item_explanation;
      > > }
      > > But meaning that with $item_explanation will get
      > > $preference1_explanation.
      >
      > That's a "soft reference", which are icky. You want a hash, really.
      >
      > my %explanation = (
      > preference1 => "message",
      > preference2 => "message",
      > preference3 => "blah blah",
      > # ...
      > );
      >
      > my @list = ('preference1', 'preference2');
      >
      > foreach my $item (@list) {
      > print $explanation{$item};
      > }

      That was exactly what I was looking for, never tough on that, instead of
      modifying the main script, modify the preferences one. (explanations and
      so on are stored in different files, this way I pseudo-localize it with
      extensions like .en .es and so on)
      Thanks a lot


      --
      http://thexayon.wordpress.com

      Que la fuerza os acompañe.

      -----BEGIN GEEK CODE BLOCK-----
      Version: 3.12
      GCS dpu s: a--- C++++ UL++++ P++++ L+++ E--- W+++ N+++ o+ K- w---
      O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++++ DI--- D+++
      G+ e- h++ r+++ y++++
      ------END GEEK CODE BLOCK------

      --XayOn--

      Linux registered user #446872


      [Non-text portions of this message have been removed]
    • Jeff Pinyan
      ... Untainting isn t a matter of removing the bad, it s a matter of extracting the good. my $file = $cgi- param( newid ); # $file is tainted because it comes
      Message 2 of 4 , Mar 1, 2008
      • 0 Attachment
        On Sat, Mar 1, 2008 at 10:41 AM, David Francos <yo.orco@...> wrote:
        > I'm Sorry, yes that was what I tough but I didn't get what I was looking
        > for on google, next time I'll remember perlsec.
        > The code in question is tainted: $file=$cgi->param('newid'); --> not
        > exactly, its $newpath/$newid and newid is filtered to remove "../" from
        > it, and I've tought on just remove everything but numbers, or give an
        > error if something else than a number is given (newid is always a
        > number)

        Untainting isn't a matter of removing the bad, it's a matter of extracting
        the good.

        my $file = $cgi->param('newid'); # $file is tainted because it comes from
        a HTTP query

        To untaint $file, you must do more than remove what you don't want:

        # remove all characters that aren't lowercase letters...
        $file =~ s/[^a-z]+//g; # $file is STILL tainted!

        Instead, you must extract what is ok:

        # if there are one or more lowercase letters, use them as $file's value
        if ($file =~ /([a-z]+)/) {
        $file = $1;
        }
        else {
        # complain somehow
        die "Invalid value for '$file': must contain lowercase letters";
        }

        In your case, you would want to do this:

        my ($file) = $cgi->param('newid') =~ /(\d+)/;

        If $file is *undef* after that, then *newid* had a bad value in it.

        --
        [Mary said,] "Do whatever he tells you." ~ John 2:5
        The Cross Reference - http://thecrossreference.blogspot.com/
        Nos autem praedicamus Christum crucifixum (1 Cor 1:23)


        [Non-text portions of this message have been removed]
      Your message has been successfully submitted and would be delivered to recipients shortly.