Professional Web Applications Themes

safe cgi programming in perl? - PERL Miscellaneous

Hi all, please excuse the long post, but this is the longest perl script I've ever written. My main concern is with untainting data and using backtics for system commands. I read most of the doentation, but confess the perlsec leaves me a little confused as to the best way to write to files, etc. I'm using -Tw on the shabang line, plus "use strict" I threw this in, but I am not sure if it is neccessary: $ENV{PATH} = "/bin:/usr/bin"; delete ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' }; I'm only using mkdir, open and rm with user input. Here's my ...

  1. #1

    Default safe cgi programming in perl?

    Hi all, please excuse the long post, but this is the longest perl
    script I've ever written. My main concern is with untainting data and
    using backtics for system commands. I read most of the doentation,
    but confess the perlsec leaves me a little confused as to the best way
    to write to files, etc.

    I'm using -Tw on the shabang line, plus "use strict"

    I threw this in, but I am not sure if it is neccessary:

    $ENV{PATH} = "/bin:/usr/bin";
    delete ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

    I'm only using mkdir, open and rm with user input.

    Here's my untaint routines:

    -------------------

    if ($pairs{affilate_ID} =~ /^([-_\w.\s]+)$/) { $pairs{affilate_ID} =
    $1 }
    else { bad_data_in_affilate_ID () }
    if ($pairs{general_theme} =~ /^([-_\w.\s]+)$/) { $pairs{general_theme}
    = $1 }
    else { bad_data_in_theme () }

    my untainted_keywords = split(/\, /, $pairs{keywords});

    my $untainted_keyword;
    for $untainted_keyword (untainted_keywords) {
    if ($untainted_keyword =~ /^([-_\w.\s]+)$/) { $untainted_keyword = $1
    }
    else { bad_data_in_keywords () }
    }

    -------------------

    most of my commands to create directories, files and to remove files
    are with backtics, and I've untainted all the data....so have I
    covered all the bases or should I understand more about the perlsec
    and shell vs system calls...esp this example:

    use English '-no_match_vars';
    die "Can't fork: $!" unless defined($pid = open(KID, "-|"));
    if ($pid) { # parent
    while (<KID>) {
    # do something
    }
    close KID;
    } else {
    my temp = ($EUID, $EGID);
    my $orig_uid = $UID;
    my $orig_gid = $GID;
    $EUID = $UID;
    $EGID = $GID;
    # Drop privileges
    $UID = $orig_uid;
    $GID = $orig_gid;
    # Make sure privs are really gone
    ($EUID, $EGID) = temp;
    die "Can't drop privileges"
    unless $UID == $EUID && $GID eq $EGID;
    $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH.
    # Consider sanitizing the environment even more.
    exec 'myprog', 'arg1', 'arg2'
    or die "can't exec myprog: $!";
    }

    Thanks very much for any replys,

    Steve

    Steve Guest

  2. #2

    Default Re: safe cgi programming in perl?

    Steve <mehome.com> wrote:
    > My main concern is with untainting data and
    > using backtics for system commands.
    > I'm only using mkdir,

    Is that the shell's mkdir(1) or Perl's mkdir() function?

    > open

    _That_ must be Perl's open(), I don't think there is a shell "open".

    > and rm with user input.

    And that is clearly the shell's rm(1).

    > most of my commands to create directories, files and to remove files
    > are with backtics,

    You can do all three of those things in native Perl rather than
    "shelling out" to external programs.

    perldoc -f mkdir
    perldoc -f open
    perldoc -f unlink


    Avoiding a shell goes a long way toward peace of mind, so you
    should avoid it whenever possible.

    As an added bonus, you could then move your program unchanged
    to some other operating system.


    --
    Tad McClellan SGML consulting
    [email]tadmcaugustmail.com[/email] Perl programming
    Fort Worth, Texas
    Tad McClellan Guest

  3. #3

    Default Re: safe cgi programming in perl?

    Steve <mehome.com> wrote:
    > My main concern is with untainting data and
    > using backtics for system commands.
    > if ($pairs{affilate_ID} =~ /^([-_\w.\s]+)$/) { $pairs{affilate_ID} =
    > $1 }

    Allowing dot may be dangerous, as it can have meta-meaning in a path.

    What if

    $pairs{affilate_ID} = '../etc/passwd';
    $pairs{affilate_ID} = '../../etc/passwd';
    $pairs{affilate_ID} = '../../../etc/passwd';

    etc.

    Do you allow users to enter relative paths?


    --
    Tad McClellan SGML consulting
    [email]tadmcaugustmail.com[/email] Perl programming
    Fort Worth, Texas
    Tad McClellan Guest

  4. #4

    Default Re: safe cgi programming in perl?

    Hi Ted,

    Thank you for giving me some good suggestions. First off, I removed
    the dot when untainting data.

    I'm using a combination of Perl commands and backtics.

    Perl:
    mkdir, open

    Shell:
    zip, rm, mv, chmod

    the problem I was having was in dealing with the cgi program creating
    files with owner "apache". So I was having a hard time getting
    "unlink" and "rmdir" to work.

    But I think I will follow your advice and try moving more of the
    backtic commands to perl commands.

    Steve

    On Mon, 14 Jul 2003 08:52:42 -0500, [email]tadmcaugustmail.com[/email] (Tad
    McClellan) wrote:
    >Steve <mehome.com> wrote:
    >
    >> My main concern is with untainting data and
    >> using backtics for system commands.
    >
    >> I'm only using mkdir,
    >
    >
    >Is that the shell's mkdir(1) or Perl's mkdir() function?
    >
    >
    >> open
    >
    >
    >_That_ must be Perl's open(), I don't think there is a shell "open".
    >
    >
    >> and rm with user input.
    >
    >
    >And that is clearly the shell's rm(1).
    >
    >
    >> most of my commands to create directories, files and to remove files
    >> are with backtics,
    >
    >
    >You can do all three of those things in native Perl rather than
    >"shelling out" to external programs.
    >
    > perldoc -f mkdir
    > perldoc -f open
    > perldoc -f unlink
    >
    >
    >Avoiding a shell goes a long way toward peace of mind, so you
    >should avoid it whenever possible.
    >
    >As an added bonus, you could then move your program unchanged
    >to some other operating system.
    Steve Guest

  5. #5

    Default Re: safe cgi programming in perl?

    Tad McClellan <tadmcaugustmail.com> wrote:
    > Allowing dot may be dangerous, as it can have meta-meaning in a path.
    > What if
    > $pairs{affilate_ID} = '../etc/passwd';
    But equally, one has to consider these:
    $pairs{affilate_ID} = 'some.valid.file';
    $pairs{affilate_ID} = '.../hiddenfile';

    Chris
    --
    s=split(//,"Je,\nhn ersloak rcet thuarP");$k=$l=s;for(;$k;$k--){$i=($i+1)%$l
    until$s[$i];$c=$s[$i];print$c;undef$s[$i];$i=($i+(ord$c))%$l}
    news@roaima.freeserve.co.uk Guest

Similar Threads

  1. object oriented perl programming
    By sanjeeb in forum PERL Modules
    Replies: 1
    Last Post: April 20th, 07:19 PM
  2. Two Perl/Programming things that confuse me
    By Lou M in forum PERL Miscellaneous
    Replies: 6
    Last Post: September 1st, 11:46 AM
  3. Need Perl teacher/school: Network programming
    By Irving Kimura in forum PERL Miscellaneous
    Replies: 8
    Last Post: August 2nd, 08:58 PM
  4. Book on SSL programming with Perl?
    By J Krugman in forum PERL Miscellaneous
    Replies: 0
    Last Post: July 15th, 02:34 PM
  5. Perl keeps me from throwing up while programming java
    By Bryan Castillo in forum PERL Miscellaneous
    Replies: 1
    Last Post: June 29th, 03:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139