Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Using values from web-form input in a qx{ sprintf "blah %s blah", $input } without taint checking the $input first is not safe, never was, never should have been considered safe. If someone ever said "it's only a way to crash the program, no way to break in here", they were not listening to history. Running system commands with user input is always going to be a target of opportunity, you have to defend that in depth. You've got to check for buffer overrun (even if you can't see the buffer ) and ;'s and
    # I had a sig when sigs were cool
    use Sig;
    • I think what’s happening is that they’re doing something like this:

      printf "%${precision}d", $somenumber;

      where $precision derives from user input. This exposes Perl code to all the same format string vulnerabilities [] that have commonly been found in C code. I’ve been pointing this out for a while now. I’m surprised that not more people have picked up on it.

      The right way to write that code, in the general case, is like so:

      $precision =~ s/%/%%/g;
      printf "%${precision}d", $somenumb

      • by n1vux (1492) on 2005.11.30 10:44 (#44922) Homepage Journal
        Oh, varargs , even worse than usual buffer stuff, Ouch. Thanks for the wikipedia link!

        I can see where prepping the stack for a varargs hack could be hard but not impossible with only a web client to work with.

        Escaping or removing all relevant magic characters e.g., % is only one of the things one must do with user input before using it. Verifying syntax is as expected and size isn't absurd is also required for safety. (Some semantic checks may even be required to protect the backend from GIGO attacks, but that's beyond this scope.) Removing all characters you don't expect is often easier and usually safer than trying to escape everything that might matter at this or next layer -- or just rejecting immediately but politely any query with nonsense characters.

        # I had a sig when sigs were cool
        use Sig;