On Tue, Aug 20, 2013 at 11:39 AM, Kevin C. Krinke ke...@krinke.ca wrote:
Hi all,
I've just noticed (yes, I've been way out of the loop on my own projects
for far too long) the user reviews of my module UI::Dialog.
In particular: http://cpanratings.perl.org/user/avian
What really spoils the good impression is that it's full of security
issues. Don't use for displaying any untrusted strings as it is trivial to
trick the module into executing arbitrary shell commands.
I like using Tie::Function for providing interpolation-time sanitization
for data that is to get interpolated.
One could do something like this:
use Tie::Function;
tie our %SE, 'Tie::Function', sub {\Q$_[0]\E}; # Shell Escape
and then whenever the module does a system call, wrap the tainted variables.
That is, if you've currently got something like
system($command $arg1 $arg2); # suboptimal, but works for this
example
that would become, assuming $command is coder-provided and the args are
from the user,
system($command $SE{$arg1} $SE{$arg2});
This approach also works well for entity-encoding data that goes in hidden
field value elements in HTML forms, and preventing other types of code
injection.