--- erotomek <[EMAIL PROTECTED]> wrote:
> ALWAYS USE THE TAINT MODE !!!
>
> Use the -T switch:
>
> #!/usr/bin/perl -wT
>
> and untaint the $file variable:
>
> die 'INSECURE $file !!!' if $file =~ /\.\./;
> if ($file =~ /^([-\w./]+)$/) { $file = $1 }
> else { die 'INSECURE $file !!!' }
>
> and now you can use it.
You supplied some great information, however, your example of plugging the security
hole has a
security hole itself. From the command line on any *nix system, enter the following
(assuming you
are not in root):
cd \.\.
You quickly discover that the shell allows those dots to be escaped. In a url, that
translates to
something like:
%5c.%5c.%2F%5c.%5c.%2Fetc%2Fpasswd
(That's "\.\./\.\./etc/passwd")
Many variations of that can be tried to find out if their is a security hole. If you
must allow
the user to specify a file name, get rid of any ASCII zeroes in the file name (to
prevent NUL byte
hacks -- I explain that at
http://www.easystreet.com/~ovid/cgi_course/lesson_three/lesson_three.html under the
title "Poison
Null byte"). Then, you can use File::Path to get the real filename. Even then,
though, I'm leery
of allowing the user data near the shell, but sometimes it is necessary.
Cheers,
Curtis "Ovid" Poe
=====
"Ovid" on http://www.perlmonks.org/
Someone asked me how to count to 10 in Perl:
push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
