> -----Original Message-----
> From: Jay [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 18, 2005 3:42 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Securing user data
>
> On Fri, 18 Feb 2005 14:33:24 -0600, Tyson Sommer
> <[EMAIL PROTECTED]> wrote:
> > Are there any not-so-obvious problems with untainting user
> input for
> > passing to the shell with something like (for the sake of
> simplicity):
> >
> > # need to be able to use "." and "-" characters as well as
> > alphanumerics
> > chomp ( my $input = <STDIN> );
> > $input =~ s/[^A-Za-z0-9\-\.]//g;
> >
> > system ("some_system_binary_here $input");
> >
> > Thanks!
> > tyson
>
> That partly depends on how protable you want to be. You
> might look into posix or unicode classes, e.g. \p{IsAlnum} or
> [:alnum:]. Also, it looks as if you're probably taking a
> filname here, '_' is probably a valid character,
Oh yeah, forgot that one :-)
> and in
> square brackets, '.' is a literal '.' not a metacharacter, so
> it shouldn't be escaped.
Gotcha. Now... will escaping them in the character class actually be
escaping them? Or did I just allow for "\" as well? I'll test it out...
Nope! The result is the same whether I escape "-" with "\" or not. Didn't
allow for "\" and did allow "-" either way. Learning...
> Beyond that, think a little bit about what your application is here.
> Figure out what you're expecting here, and look fo it. Will
> all your filenames have, say, dots and an extension? then
> perform the subtitution and then do 'next unless /.+\..{3}/'.
Basically, that's it. Let's say, just for the sake of argument, that I want
to ping something (that may or may not arbitrarily have "."s, "_"s, and/or
"-"s in its filename in arbitrary positions). I want to make sure a user
can't input something like:
"some_valid_device | some_malicious_code"
So that after it tells the system to run the ping (or whatever) they can't
then trick the system into piping thru some other potentially malicious
program.
> What program are you passing to? Is it a *nix system? How
> will the program react to a bare '-', especially if there's
> nothing further coming on STDIN? Are there situation in
> which the input could be interpreted as an argument, rather
> than a file to open (or vice versa, depending on the
> application)? For instance, if the user enters '-v', will
> that return version information on your program. Could that
> information be abused?
Those are some good points. I should definitely strip any leading "-"s. This
appears to work:
$input =~ s/^-*|[^A-Za-z0-9.-_]//g;
> Some thngs to think about.
Much thanks!
Anyone think of any more potential problems that I might be missing?
Tyson
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
