The Perl security monitors |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzes>>Perl the secure monitor 
                   Printing

            Perl secure monitor
            Www.cshu.net  2003-1-27  fog rain village 

              This month column introduced Perl being called "tainting" the 
              internal security mechanism, it may let Perl catch 
              Any possibly causes the secure question the system call. I 
              intensely recommend in yours all CGI procedure open "tainting" the 
              mechanism. 
              CGI causes on the Internet any person all to be allowed to move 
              the procedure on yours computer, this enables CGI to become the 
              world 
              On most popular security loophole. As the programmer, our 
              responsibility is does not let the unprincipled person invade our 
              system, regarding us 
              Establishes the procedure said that, must achieve does not have 
              the loophole to be possible to drill. 
              For example, under this CGI procedure, is a bad procedure: 
              #! /usr/bin/perl -w 
              # cgi-bad a not good cgi script example 
              ... 
              = param ("FILE") 
              Or die "Must fill out the FILE field\n"; 
              Unlink ("/usr/local/public/data/$file") 
              Or die "Can't delete: $! \n "; 

              What this script does is the read-out the filename which inputs in 
              the table list, and from table of contents /usr/local/public/data/ 

              Center deletes this name the document. Wrong! This script does in 
              fact is lets any user to on the network server usercode 
              May delete any document makes the deletion operation. Please 
              looked that, 
              % setuid-bad../.. /etc/apache/var/userdb 

              Good Heavens! There is the user database! 
              We originally must do are the inspection routine parameter, 
              determined whether it is the filename. The question is outside 
              your procedure 
              An institute produces the data used in the system call, like nlink 
              (), open (), with system (). But you certainly did not plan 
              Lets the data which produces outside yours procedure affect the 
              outside world. 
              Perl has an option, after opens, may force you to inspect the 
              constant, the environment, the input, or other have the 
              possibility not 
              Bosom good intention person use loophole. This option is called 
              "tainting" 
              Opens the Taint inspection option 
              Must open the taint inspection option, lets Perl bring a -T 
              option: 
              #! /usr/bin/perl -wT 
              If we in above procedure movement time, has the T option, we can 
              see the following information: 
              Insecure dependency in unlink while running with 
              -T switch at setuid-bad line 5. 

              In the Perl track value, it is in yours procedure exterior 
              production, (it is called "tainted"). Unlink () 
              Was considered is a unsafe operation, because it to outside world 
              influential: Document. Under unsafe operation, business 
              The chart use does not have the confidence level (tainted) the 
              data is dangerous. Just like we already saw, the data possibly had 
              crafty. 
              These loopholes may by the Perl taint inspection option when the 
              movement catches, and causes the procedure to stop. 
              Tainted data 
              The Tainted data originates very much, including: Originates 
              disperses to yours environment tabulates (the %ENV), parameter 
              (@ARGV), 
              The read-in document and the table of contents, originate in the 
              movement procedure, as well as some system calls results (read out 
              the password number with getpw 
              According to storehouse in GECOS territory). Any to the tainted 
              value operation (increase, merge, insertion), its end value also 
              is tainted. 
              This looked like is the data once has been glued on the stain, 
              where then regardless of the data did disseminate, could the stain 
              bring to where. 
              Only some three ways, may obtain "untainted" the value: The data 
              directly indicates in the procedure; The data comes from 
              To safe function (for example localtime); Or the use regular 
              expression withdraws from not the security function tainted string 

              A part. 
              = 4; # untainted 
              = [ 0 ]; # tainted 
              =~ m {^ ([ ^/ ] +) $} 
              Or die "is not a good filename. \n"; 
              = $1; # untainted 

              Includes through the regular expression with the parenthesis, 
              founded $1, $2... variable. These all are the untainted data. 
              Through the regular expression, you may believe firmly the value 
              which it is you expected. If the match defeat, you can obtain the 
              defeat information. 
              If matches successfully, $1.. The variable has contained the 
              untainted data which you may use. 
              If we already opened the tainting option, when we attempted made 
              unlink () to operate, Perl interpreter meeting 
              Stops, told in you to contain the tainted data. The filename is 
              tainted, because it comes from to does not believe 
              No matter what source: Uses your procedure person. 
              Bad movement 
              If you use the data is tainted, you want the majority matter which 
              the Perl procedure does to be able to produce make a mistake the 
              information. 
              If the filename or the procedure name are tainted, then moves the 
              procedure, opens the document to read in, as well as deletion 
              document, 
              These operations will be all forbidden to carry on. 
              How this will demonstrate under this kind of situation, will 
              relieve the tainted condition. 
              Considered: 
              System ("ls * h"); 
              Perl saw in yours string *, and the decision transferred shell, 
              like this: 
              Sh -c "ls * h" 
              But, indeed some people possibly use the vacation the way 
              environment variable to move your procedure, thus caused to 
              transfer wrongly 
              Sh or ls. Therefore, may use for regarding in the PATH variable as 
              well as SHELL to revise its behavior other variables, should carry 
              on 
              Untaint operation. 
              General, when moves other procedures, you should adopt three 
              steps: 
              Is clear about your environment variable, causes the movement is 
              the actual procedure. 
              Closes shell 
              Carries on the untaint operation to the procedure parameter. 
              With as follows and so on the simple way eliminates your 
              environment variable: 
              Delete @ENV {"IFS", "CDPATH", "ENV", "BASH_ENV"}; 
              {PATH} = "/bin:/usr/bin"; 

              The first line deletes possibly can cause the question environment 
              variable, the second line produces to guarantee safe PATH. You may 

              Increases other tables of contents to PATH in, but guarantees them 
              to be same by all means must with this place, has the true 
              definite value. 
              Closes shell also to have to grasp the discretion. Perl is 
              involving to the related shell operation, like open (), 
              System (), backticks, when () transfers with exec, has own rule, 
              these rules not too are easy to grasp. 
              The best rule is: Avoids using backticks and pipe open () 
              transfers, but is uses system () and exec (), 
              And bequeaths them the parameter list. 
              The majority person is accustomed to seedao the following mode of 
              writing: 
              System ("someprogram arg1 arg2 arg3"); 
              They did not know also may write like this: 
              System ("someprogram", "arg1", "arg2", "arg3"); 
              Such mode of writing, may precisely tell Perl each parameter is 
              any, Perl will not be able to transfer shell. 
              Exec () also has reads the parameter list and does not transfer 
              shell the characteristic. But if must use piped open () and 
              backticks, 
              Is unable to guarantee cannot use shell. 
              If you planned uses piped open or backticks, you must use the 
              following method reto realize: 
              $$PP D = open (COMMAND, "-|"); 
              Die "Couldn't fork: $!" Unless defined $$PP D; 
              If ($$PP D) { 
              @lines = <COMMAND>; 
              Close (COMMAND); 
              } else { 
              Exec ("some", "program", "with", "args") or die "execing: $!" 
              } 

              Generally speaking, even if your PATH has already made safe 
              processing, produces the procedure complete way which moves was 
              Great idea. This could avoid wrongly transferring /usr/bin/boom 
              but is not /home/user/bin/boom this 
              Plants the situation the occurrence, because in PATH /usr/bin is 
              located /home/usr/bin/boom. Before. 
              Filename 
              Carries on the operation when to the filename, uses unlink () or 
              <* h>, when or with open (), has the danger 

              The filename reads in which from the table of contents is tainted. 
              You may open a tainted filename to read in, but you 
              Cannot open it to read in. From document reading according to, no 
              matter filename whether tainted, already were tainted. Because 
              In order to use shell, you could not use <* h> to obtain the 
              document detailed list. 
              In order to inspect the filename whether is good, you must write a 
              regular expression, and carries on with the legitimate filename 
              Matches. In some situations, may use the following straightforward 
              procedure to inspect your data: 
              = [ 0 ]; 
              (=~ m {^ ([ ^/ ] +) $} && ne "." && ne ".." 
              Or die "Bad filename "; 
              = $1; 

              According to any does not contain the slanting bar the string 
              regular expression to inspect the filename, this target table of 
              contents removes in outside, 
              Then removes "." (Current directory) and ".." (Current directory 
              father table of contents). If these tests all passed, 
              In $1 variables deposits the filename which is we may use. 
              In order to obtain matches some kind of pattern the filename 
              detailed list, you already may from CPAN (File::KGlob and 
              File::BSD 
              Is two useful modules) installs the related module, also may use 
              reads the table of contents operation and the regular expression: 
              Opendir (DH, "/path/to/directory") or die "opening directory: $! 
              \n "; 
              While (defined (= readdir (DH))) { 
              Next unless /^ (. *\ h) $/; 
              Push (@files, $1); 
              } 
              Closedir (DH); 
              # @files is the list of untainted * h filenames 

              Inspects Taintedness 
              If you need to inspect taintedness, you may use the following 
              skill: 
              Sub is_tainted { 
              Return! Eval { 
              Join ('', @_), kill 0; 
              1; 
              }; 
              } 

              You need to understand two matters: Kill 0 besides returns to 
              "true", any does not do; If expression 
              The part has used the tainted data, then, this expression is 
              tainted. Therefore, if is_tainted transfer 
              When has used the tainted data, carries on kill to @_, 
              sufficiently causes Perl procedure die. 
              Untainting could also have the question 
              In not many situations, blindly untaint your data also has the 
              security loophole. Therefore also this time need 
              Tainting existence. If under is likely same, blindly to any data 
              all untaint: 
              =~/(. *) /s; # Is stupid 
              = $1; 

              The regular expression in the formula /s mark causes the period to 
              be allowed to match in the string any to line feed the symbol. 
              Through used. * us to match in string all marks, and with $1 
              stored this data the untainted transcription. 
              Just like the annotation said, does this is stupid. 
              Summary 
              -T opens the tainting option. Comes from your procedure outside 
              the data is tainted, cannot use these data, 
              In order to avoid affects the outside world. 
              With the regular expression and $1, $2... the variable carries on 
              untaint. Must move other procedures, establishes good path, 
              Do not use shell, and carries on untaint to the parameter. 
              Further reading 
              In detail elaborated in perlsec manpage the tainting mechanism, 
              and has produced more examples. 
              The Chapter Perl Cookbook 16th chapter discussed the advancement 
              management, has demonstrated the non-shell version 
              Piped opens and other interesting usages


              Original author: Nathan Torkington 
              Origin: Www.zdnet.com.cn 
              Altogether has 30 readers to read this article 

              [Tells friend] 
            Previous article:Ridicules the Internet: Unprecedented viral event 

            Next article: Already did not have 

            - this week popular article - related article 
            Perl secure monitor



      CSHU 
