Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and
    # I had a sig when sigs were cool
    use Sig;
    • I think what’s happening is that they’re doing something like this:

      printf "%${precision}d", $somenumber;

      where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

      The right way to write that code, in the general case, is like so:

      $precision =~ s/%/%%/g;
      printf "%${precision}d", $somenumb

      • > I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

        So I assume that you have long since reported this through perlbug and/or perl5-porters and since it's a security flaw also contacted the branch maintainers (Rafael and Nicholas) directly?

        • Huh? Should I also report the fact that open FH, $foo can be used for mischief if $foo derives from user input?

          And this isn’t even as openly dangerous.

          Cursory experimentation and a superficial browsing of the source suggests it’s not possible to corrupt perl’s stack using printf [], so this isn’t a vulnerability in perl. It is very well possible to inject unexpected %ns into the format string to make an application fall over, though, so it definitely constitutes a vulnerability in Perl code. Whether the vulnerability can be used for arbitrary code injection will depend on the application.

          So no, it doesn’t seem like something I should report to p5p.