Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Is this a core Perl flaw? 5 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and
    --
    Bill
    # I had a sig when sigs were cool
    use Sig;

    • I think what’s happening is that they’re doing something like this:

      printf "%${precision}d", $somenumber;

      where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [wikipedia.org] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

      The right way to write that code, in the general case, is like so:

      $precision =~ s/%/%%/g;
      printf "%${precision}d", $somenumb

      • > I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

        So I assume that you have long since reported this through perlbug and/or perl5-porters and since it's a security flaw also contacted the branch maintainers (Rafael and Nicholas) directly?

        • Re: (Score:1)

          by sigzero (5768) on 2005.11.30 8:39 (#44919) Journal

          I think what he is saying is that it isn't a *core* Perl flaw but a flaw in programming methodology.

          • Well, let's say it's both. Perl could have been more paranoid, C lib could be more paranoid, Perl script authors should be more paranoid. Unclear but I suspect this bug is only usable when Taint mode should have been wasn't? MaintPerl already has patch 26420 http://www.nntp.perl.org/group/perl.perl5.changes/14020 [perl.org] , so Perl is now a bit more paranoid. The Ubuntu security team reports the problem as follows. Also patched in FC4 security updates and FC3 backport. Somewhere along the line the CVE# got typo
            --
            Bill
            # I had a sig when sigs were cool
            use Sig;
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.