Provided by: manpages-zh_1.5.2-1_all bug


       perlsec - Perl



        PerlIDID""setuidunix04000setgid UNIX02000 -T ""CGI



       o   printsyswrite




            Perl  POSIX::system


           $arg = shift;               # $arg
           $hid = $arg, 'bar';         # $hid
           $line = <>;                 #
           $line = <STDIN>;            #
           open FOO, "/home/me/bar" or die $!;
           $line = <FOO>;              #
           $path = $ENV{'PATH'};       # ,
           $data = 'abc';              #

           system "echo $arg";         #
           system "/bin/echo", $arg;   #
                                       # (Perl  /bin/echo)
           system "echo $hid";         #
           system "echo $data";        # PATH

           $path = $ENV{'PATH'};       # $path

           $ENV{'PATH'} = '/bin:/usr/bin';
           delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

           $path = $ENV{'PATH'};       # $path
           system "echo $data";        # !

           open(FOO, "< $arg");        # OK -
           open(FOO, "> $arg");        # Not OK -

           open(FOO,"echo $arg|");     # Not OK
               or exec 'echo', $arg;   #  not OK

           $shout = `echo $arg`;       # , $shout

           unlink $data, $arg;         #
           umask $arg;                 #

           exec "echo $arg";           #
           exec "echo", $arg;          #
           exec "sh", '-c', $arg;      #

           @files = <*.c>;             #  ( readdir() )
           @files = glob('*.c');       #  ( readdir() )

           # In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would
           # have used an external program to do the filename expansion; but in
           # either case the result is tainted since the list of filenames comes
           # from outside of the program.

           $bad = ($arg, 23);          # $bad will be tainted
           $arg, `true`;               # Insecure (although it isn't really)

       "Insecure dependency""Insecure $ENV{PATH}"

       Laundering and Detecting Tainted Data

       "Insecure dependency"CPANTaint.pm1997 is_tainted()

           sub is_tainted {
               return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };


       Perl$1, $2


           if ($data =~ /^([-\@\w.]+)$/) {
               $data = $1;                     # $data now untainted
           } else {
               die "Bad data in '$data'";      # log this somewhere


       use locale$data1416


       Taint mode and @INC

       When the taint mode ("-T") is in effect, the "." directory is removed
       from @INC, and the environment variables "PERL5LIB" and "PERLLIB" are
       ignored by Perl. You can still adjust @INC from outside the program by
       using the "-I" command line option as explained in perlrun. The two
       environment variables are ignored because they are obscured, and a user
       running a program could be unaware that they are set, whereas the "-I"
       option is clearly visible and therefore permitted.

       Another way to modify @INC without modifying the program, is to use the
       "lib" pragma, e.g.:

         perl -Mlib=/foo program

       The benefit of using "-Mlib=/foo" over "-I/foo", is that the former
       will automagically remove any duplicated directories, while the later
       will not.

       Cleaning Up Your Path



           delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   #  %ENV





               use English '-no_match_vars';
               die "Can't fork: $!" unless defined($pid = open(KID, "-|"));
               if ($pid) {           # parent
                   while (<KID>) {
                       # do something
                   close KID;
               } else {
                   my @temp     = ($EUID, $EGID);
                   my $orig_uid = $UID;
                   my $orig_gid = $GID;
                   $EUID = $UID;
                   $EGID = $GID;
                   # Drop privileges
                   $UID  = $orig_uid;
                   $GID  = $orig_gid;
                   # Make sure privs are really gone
                   ($EUID, $EGID) = @temp;
                   die "Can't drop privileges"
                       unless $UID == $EUID  && $GID eq $EGID;
                   $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH.
                   # Consider sanitizing the environment even more.
                   exec 'myprog', 'arg1', 'arg2'
                       or die "can't exec myprog: $!";




       Security Bugs


       ""set-idset-idPerlsetuid/gid, setuidsetgidsuidperl

       set-idPerlset-idset-idC WrapperC WrapperPerlset-idC Wrapper

           #define REAL_PATH "/path/to/script"
           main(ac, av)
               char **av;
               execv(REAL_PATH, av);

       C Wrappersetuidsetgid


       Perl 5.6.1 suidperl

       Protecting Your Programs







       Unicode is a new and complex technology and one may easily overlook
       certain security pitfalls.  See perluniintro for an overview and
       perlunicode for details, and "Security Implications of Unicode" in
       perlunicode for security implications in particular.

       Algorithmic Complexity Attacks

       Certain internal algorithms used in the implementation of Perl can be
       attacked by choosing the input carefully to consume large amounts of
       either time or space or both.  This can lead into the so-called Denial
       of Service (DoS) attacks.

       o   Hash Function - the algorithm used to "order" hash elements has
           been changed several times during the development of Perl, mainly
           to be reasonably fast.  In Perl 5.8.1 also the security aspect was
           taken into account.

           In Perls before 5.8.1 one could rather easily generate data that as
           hash keys would cause Perl to consume large amounts of time because
           internal structure of hashes would badly degenerate.  In Perl 5.8.1
           the hash function is randomly perturbed by a pseudorandom seed
           which makes generating such naughty hash keys harder.  See
           "PERL_HASH_SEED" in perlrun for more information.

           The random perturbation is done by default but if one wants for
           some reason emulate the old behaviour one can set the environment
           variable PERL_HASH_SEED to zero (or any other integer).  One
           possible reason for wanting to emulate the old behaviour is that in
           the new behaviour consecutive runs of Perl will order hash keys
           differently, which may confuse some applications (like
           Data::Dumper: the outputs of two different runs are no more

           Perl has never guaranteed any ordering of the hash keys, and the
           ordering has already changed several times during the lifetime of
           Perl 5.  Also, the ordering of hash keys has always been, and
           continues to be, affected by the insertion order.

           Also note that while the order of the hash elements might be
           randomised, this "pseudoordering" should not be used for
           applications like shuffling a list randomly (use
           List::Util::shuffle() for that, see List::Util, a standard core
           module since Perl 5.8.0; or the CPAN module
           Algorithm::Numerical::Shuffle), or for generating permutations (use
           e.g. the CPAN modules Algorithm::Permute or
           Algorithm::FastPermute), or for any cryptographic applications.

       o   Regular expressions - Perl's regular expression engine is so called
           NFA (Non-Finite Automaton), which among other things means that it
           can rather easily consume large amounts of both time and space if
           the regular expression may match in several ways.  Careful crafting
           of the regular expressions can help but quite often there really
           isn't much one can do (the book "Mastering Regular Expressions" is
           required reading, see perlfaq2).  Running out of space manifests
           itself by Perl running out of memory.

       o   Sorting - the quicksort algorithm used in Perls before 5.8.0 to
           implement the sort() function is very easy to trick into
           misbehaving so that it consumes a lot of time.  Nothing more is
           required than resorting a list already sorted.  Starting from Perl
           5.8.0 a different sorting algorithm, mergesort, is used.  Mergesort
           is insensitive to its input data, so it cannot be similarly fooled.

       See <> for more information, and
       any computer science text book on the algorithmic complexity.



       nan1nan1 <>