On Tue, Aug 20, 2013 at 11:39 AM, Kevin C. Krinke <ke...@krinke.ca> wrote:

> Hi all,
>
> I've just noticed (yes, I've been way out of the loop on my own projects
> for far too long) the user reviews of my module UI::Dialog.
>
> In particular: http://cpanratings.perl.org/user/avian
> What really spoils the good impression is that it's full of security
> issues. Don't use for displaying any untrusted strings as it is trivial to
> trick the module into executing arbitrary shell commands.



I like using Tie::Function for providing interpolation-time sanitization
for data that is to get interpolated.

One could do something like this:

   use Tie::Function;
   tie our %SE, 'Tie::Function', sub {"\Q$_[0]\E"};  # Shell Escape

and then whenever the module does a system call, wrap the tainted variables.

That is, if you've currently got something like

      system("$command $arg1 $arg2");  # suboptimal, but works for this
example

that would become, assuming $command is coder-provided and the args are
from the user,

      system("$command $SE{$arg1} $SE{$arg2}");


This approach also works well for entity-encoding data that goes in hidden
field value elements in HTML forms, and preventing other types of code
injection.

Reply via email to