use Perl

• sprint formats inputs and taint (Score:1)

  by n1vux (1492)

  Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and

  --
  Bill
  # I had a sig when sigs were cool
  use Sig;
  • Re: (Score:1)

    by Aristotle (5147)

    I think what’s happening is that they’re doing something like this:

    printf "%${precision}d", $somenumber;

    where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [wikipedia.org] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

    The right way to write that code, in the general case, is like so:

    $precision =~ s/%/%%/g;
    printf "%${precision}d", $somenumb
    • Re: (Score:2)

      by jhi (318)

      > I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.
      
      So I assume that you have long since reported this through perlbug and/or perl5-porters and since it's a security flaw also contacted the branch maintainers (Rafael and Nicholas) directly?
      
      
      • Re: (Score:1)

        by sigzero (5768)

        I think what he is saying is that it isn't a *core* Perl flaw but a flaw in programming methodology.
        • Core perl or methodology? (Score:1)

          by n1vux (1492)

          Well, let's say it's both. Perl could have been more paranoid, C lib could be more paranoid, Perl script authors should be more paranoid. Unclear but I suspect this bug is only usable when Taint mode should have been wasn't? MaintPerl already has patch 26420 http://www.nntp.perl.org/group/perl.perl5.changes/14020 [perl.org] , so Perl is now a bit more paranoid. The Ubuntu security team reports the problem as follows. Also patched in FC4 security updates and FC3 backport. Somewhere along the line the CVE# got typo

          --
          Bill
          # I had a sig when sigs were cool
          use Sig;
      • Re: (Score:1)

        by Aristotle (5147)

        Huh? Should I also report the fact that open FH, $foo can be used for mischief if $foo derives from user input?

        And this isn’t even as openly dangerous.

        Cursory experimentation and a superficial browsing of the source suggests it’s not possible to corrupt perl’s stack using printf [perl.org], so this isn’t a vulnerability in perl. It is very well possible to inject unexpected %ns into the format string to make an application fall over, though, so it definitely constitutes a vulnerability in P
    • Re: Format (Score:1)

      by n1vux (1492)

      Oh, varargs , even worse than usual buffer stuff, Ouch. Thanks for the wikipedia link!

      I can see where prepping the stack for a varargs hack could be hard but not impossible with only a web client to work with.

      Escaping or removing all relevant magic characters e.g., % is only one of the things one must do with user input before using it. Verifying syntax is as expected and size isn't absurd is also required for safety. (Some semantic checks may even be required to protect the backend from GIGO attacks, b

      --
      Bill
      # I had a sig when sigs were cool
      use Sig;
    • Re: format strings (Score:1)

      by n1vux (1492)

      Full details are on the front page now, P5P http://use.perl.org/article.pl?sid=05/12/06/1353226&mode=nocomment&tid=12 [perl.org].

      --
      Bill
      # I had a sig when sigs were cool
      use Sig;