Re: A better way ?
On Thu, Apr 18, 2002 at 06:21:52AM +0200, Paul Johnson wrote: On Wed, Apr 17, 2002 at 07:59:22PM -0400, Michael G Schwern wrote: Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. Awww. You're no fun. *bang* -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One You can't set a generic cow. -- Randal Schwartz
Re: A better way ?
Michael G Schwern [EMAIL PROTECTED] schrieb im Newsbeitrag 20020417205231.GV851@blackrider">news:20020417205231.GV851@blackrider... | On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: | There's already a %dispatch set up for you by perl... | | I'd have used it but it just fell into the gaping security hole. | | A recent Phrack article pointed out that one of the SOAP/RPC/XML | modules was doing this: | | $soap-$tainted_method_name(@args); That was SOAP::Lite Steffen -- $_=qq#tsee gmx.net#;s#e#s#g;s#[^\s\w]#c#;s#s#ust#g;s#t#J#e;s#nus#ker# ;chop;$c=' ';$c='12319';@c=split/(..)/,'8234130006710523';@d=split3 ,$c;chop;' at ';s#(t)ustust#$1\0ano$1;.#;y#.; #ehr#;@_=$_;shift@c,substr $_[0],$_,1,chr(ord(substr$_[0],$_)-shift@c)for$d[0]..$d[1];print$_[0]\n;
Re: A better way ?
On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub = \Logsif (substr($vFlag, 1, 4) eq 'LOGS'); $vSub = \Targets if (substr($vFlag, 1, 7) eq 'TARGETS'); $vSub = \Usenet if (substr($vFlag, 1, 6) eq 'USENET'); (substr($_, 0, 1) eq '[') ? next : $vSub; my tags = qw /SNEEX ADMIN REPORTS LOGS TARGETS USENET/; last if 'END' eq substr $vFlag, 1, 3; next if '[' eq substr $_, 0, 1; { local $ = |; no strict 'refs'; (ucfirst lc $1) - () if $vFlag =~ /^.(tags)/; } Abigail
Re: A better way ?
[EMAIL PROTECTED] wrote: On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub = \Logsif (substr($vFlag, 1, 4) eq 'LOGS'); $vSub = \Targets if (substr($vFlag, 1, 7) eq 'TARGETS'); $vSub = \Usenet if (substr($vFlag, 1, 6) eq 'USENET'); (substr($_, 0, 1) eq '[') ? next : $vSub; my @tags = qw /SNEEX ADMIN REPORTS LOGS TARGETS USENET/; last if 'END' eq substr $vFlag, 1, 3; next if '[' eq substr $_, 0, 1; { local $ = |; no strict 'refs'; (ucfirst lc $1) - () if $vFlag =~ /^.(@tags)/; } since the original sub was called as $vSub; wouldn't this be more equivalent (just in case @_ was to be passed to the sub intentionally)? { ucfirst lc $1 } if $vFlag =~ /^.(@tags)/; -- Steve Lane [EMAIL PROTECTED]
Re: A better way ?
-- Bill -Sx- Jones [EMAIL PROTECTED] I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub = \Logsif (substr($vFlag, 1, 4) eq 'LOGS'); $vSub = \Targets if (substr($vFlag, 1, 7) eq 'TARGETS'); $vSub = \Usenet if (substr($vFlag, 1, 6) eq 'USENET'); (substr($_, 0, 1) eq '[') ? next : $vSub; (NOTE: Obviously NOT all of the 668 lines of program code is here, so this doesn't stand on it's own two feet...) Q: Is there a better way? Use a hash as a jump table, with the keys being what you extract and the values being subs. If the string is regex-able then something like: my %jumpz = ( SNEEX = \sneez, ... ); ... my ($name) = $vflag =~ /\w+/; my $sub = $jumpz{$name} or croak $$: bogus vflag: $vflag double-check the syntax, but if you feel like shortening the result: $jumpz{($vflag =~ /\w+/)[0]} or $jumpz{($vflag =~ /\w+/)[0]}-($vflag) should return the sub or execute it on the fly. That or a goto $jumpz{(...)[0]} should dispatch the thing completely. -- Steven Lembark 2930 W. Palmer Workhorse Computing Chicago, IL 60647 +1 800 762 1582
Re: A better way ?
On Wed, Apr 17, 2002 at 02:02:02PM -0400, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub = \Logsif (substr($vFlag, 1, 4) eq 'LOGS'); $vSub = \Targets if (substr($vFlag, 1, 7) eq 'TARGETS'); $vSub = \Usenet if (substr($vFlag, 1, 6) eq 'USENET'); (substr($_, 0, 1) eq '[') ? next : $vSub; (NOTE: Obviously NOT all of the 668 lines of program code is here, so this doesn't stand on it's own two feet...) Q: Is there a better way? The above implies the format is something like: SNEEXADMINEND in which case, suicide is an honorable option. Adding in some sort of delimiter: SNEEX|ADMIN|END and then you can just split /\|/. Either way, use a dispatch table. Here's the example using the ugly format. my $End = 0; sub End { $End = 1; } my %dispatch = ( SNEEX = \Sneex, ADMIN = \Admin, REPORTS = \Reports, END = \End, ... ); while( length $vFlag !$End ) { DISPATCH: foreach my $flag (keys %dispatch) { if( substr($vFlag, 0, length $flag) eq $flag ) { $dispatch{$flag}-(); last DISPATCH; } } } something like that. -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One The House of Representatives does hereby authorize the notification of the casino riverboat consulate of this Resolution and impending whoopin' so that they may remove their casino vessels to friendlier waters. -- Kentucky Legislature, HR 256 encouraging the purchase of a nuclear attack submarine.
Re: A better way ?
suicide is an honorable option. croak $$: The uers are idiots! unless $api eq makes sense; Adding in some sort of delimiter: SNEEX|ADMIN|END my %jumpz = ( SNEEX = \foo, ADMIN = \bar, ... ); my $regex = join '|', keys %jumpz; if( my ($name) = $vflag =~ /($regex)/o ) { # do what you like with $jumpz{$name} } -- Steven Lembark 2930 W. Palmer Workhorse Computing Chicago, IL 60647 +1 800 762 1582
Re: A better way ?
On 4/17/02 2:22 PM, Michael G Schwern [EMAIL PROTECTED] wrote: The above implies the format is something like: SNEEXADMINEND in which case, suicide is an honorable option. :) Actually, the input data looks more like [SNEEX] [ADMIN] [END] Sorry for the mass hysteria; _Sx ('-Sx- IUDICIUM //\ Have Computer - v_/_Will Hack...
Re: A better way ?
Actually, the input data looks more like [SNEEX] [ADMIN] [END] my $regex = '\b(' . join('|', keys %jumpz) . ')\b'; if( my ($name) = $foo =~ /$regex/o ) { my $sub = $jumpz{$name}; ... } Sorry for the mass hysteria; What hysteria? Hysteria? Oh, no... AAGH -- Steven Lembark 2930 W. Palmer Workhorse Computing Chicago, IL 60647 +1 800 762 1582
Re: A better way ?
On Wed, Apr 17, 2002 at 02:34:20PM -0400, Bill -Sx- Jones wrote: On 4/17/02 2:22 PM, Michael G Schwern [EMAIL PROTECTED] wrote: The above implies the format is something like: SNEEXADMINEND in which case, suicide is an honorable option. :) Actually, the input data looks more like [SNEEX] [ADMIN] [END] # setup %Dispatch as before, then... while( $vData =~ /\[([A-Z])\]/g ) { $Dispatch{$1}-(); last if $End; } -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One
Re: A better way ?
On Wed, 17 Apr 2002 15:01:50 -0400, Michael G Schwern wrote: On Wed, Apr 17, 2002 at 02:34:20PM -0400, Bill -Sx- Jones wrote: Actually, the input data looks more like [SNEEX] [ADMIN] [END] # setup %Dispatch as before, then... while( $vData =~ /\[([A-Z])\]/g ) { $Dispatch{$1}-(); last if $End; } Somebody forgot a + here. And I assume line by line processing... while() { if(/^\[([A-Z]+)\]$/) { ($Dispatch{$1} || \default)-(); last if $1 eq 'END'; } } sub default { die Something doesn't compute. } -- Bart.
Re: A better way ?
-- Michael G Schwern [EMAIL PROTECTED] On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: There's already a %dispatch set up for you by perl... I'd have used it but it just fell into the gaping security hole. A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was doing this: $soap-$tainted_method_name(@args); Use -T and untaint by extracting the subname: my $flag = ::$input =~ /\w+$/; my $sub = $jumpz{$flag}; or simply: croak $$: Bogus sub call: $blah if $blah =~ /\w+::\w+/; That or check ref $sub to see that it is in the package you expect it to be in. -- Steven Lembark 2930 W. Palmer Workhorse Computing Chicago, IL 60647 +1 800 762 1582
Re: A better way ?
On Wed, Apr 17, 2002 at 04:38:50PM -0500, Steven Lembark wrote: A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was doing this: $soap-$tainted_method_name(@args); Use -T and untaint by extracting the subname: my $flag = ::$input =~ /\w+$/; my($flag) = $input =~ /(\w+)$/; my $sub = $jumpz{$flag}; Well, the untainting here is useless since: 1) hash lookups don't taint check 2) the jump table itself effectively acts as a taint filter. The user can't call anything you don't explicitly place in the jump table. or simply: croak $$: Bogus sub call: $blah if $blah =~ /\w+::\w+/; $blah = '_your_private_method_im_not_supposed_to_call'; The jump table is safest and least clever. [1] [1] That's the Chinese clever, like interesting. -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One But I wore the juice!
Re: A better way ?
Michael G Schwern wrote: On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: There's already a %dispatch set up for you by perl... I'd have used it but it just fell into the gaping security hole. A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was doing this: $soap-$tainted_method_name(args); where $tainted_method_name was derived from the Outside World. Because it wasn't doing any checking one could remotely pass in something like: I::want::you::to::call::this::method::instead and it would. Because the method name is absolute it would work. As long as the method in question doesn't look at it's arguments (as below) it will run fine. It just so happens that there was a method which granted authorization which didn't use it's arguments. Ergo, security hole. Notice that the regex match (which should have been /\[([A-Z]+)\]/ ) effectively untaints and closes the security hole by disallowing anything through that is not [A-Z]+ Yes, there are plans to make symbolic refs and dynamic method calls taint check in 5.8.1. while( $vData =~ ) { my $vSub = ucfirst lc $1; main-$vSub(); ^^ that's a method call which will cause problems if the subroutine looks at it's arguments. It'll see main as the first one. no strict 'refs'; $vSub; instead. } The original did not appear to use arguments. If it actually was, then there would be a problem. -- Rick Klement
Re: A better way ?
On Wed, Apr 17, 2002 at 04:16:08PM -0700, Rick Klement wrote: Notice that the regex match (which should have been /\[([A-Z]+)\]/ ) effectively untaints and closes the security hole by disallowing anything through that is not [A-Z]+ This is still too lenient, you've just narrowed the possible holes. It's not too hard to see Joe Maintenance Programmer coming along later and adding in flags that match \w+ instead of [A-Z]+ without fully considering the implications. All to avoid writing a hash? Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One There's a Balrog in the woodpile.
Re: A better way ?
I like something like this, where the sub name is is sub_KEYWORD (from a CGI, hopefully you can extract usefulness): eval sub_.param('page') if (param defined param('page') defined sub_.param('page')); page_login; # If all else fails... - adm At 02:02 PM 4/17/2002, Bill -Sx- Jones wrote: I have the habit of doing: last if (substr($vFlag, 1, 3) eq 'END'); $vSub = \Sneex if (substr($vFlag, 1, 5) eq 'SNEEX'); $vSub = \Admin if (substr($vFlag, 1, 5) eq 'ADMIN'); $vSub = \Reports if (substr($vFlag, 1, 7) eq 'REPORTS'); $vSub = \Logsif (substr($vFlag, 1, 4) eq 'LOGS'); $vSub = \Targets if (substr($vFlag, 1, 7) eq 'TARGETS'); $vSub = \Usenet if (substr($vFlag, 1, 6) eq 'USENET'); (substr($_, 0, 1) eq '[') ? next : $vSub; (NOTE: Obviously NOT all of the 668 lines of program code is here, so this doesn't stand on it's own two feet...) Q: Is there a better way? Thx; _Sx ('-Sx- IUDICIUM //\ Have Computer - v_/_Will Hack... __ Aaron D. Marasco [EMAIL PROTECTED] http://www.aaronmarasco.com I love America every day, not just when she needs it. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
Re: A better way ?
On Wed, Apr 17, 2002 at 09:01:37PM -0400, Aaron D. Marasco wrote: I like something like this, where the sub name is is sub_KEYWORD (from a CGI, hopefully you can extract usefulness): eval sub_.param('page') if (param defined param('page') defined sub_.param('page')); The last clause will always be defined. The first clause is redundant since the defined param('page') is a more specific version of the same check. But that's not the real problem... page_login; # If all else fails... Remember what I was saying about security holes? http://you.com/your.cgi?page=foo%3B%20system%28%27rm%20%2Drf%20%2F%27%29 If sub_foo() exists, you now have a lot of free hard drive space. -- Michael G. Schwern [EMAIL PROTECTED]http://www.pobox.com/~schwern/ Perl Quality Assurance [EMAIL PROTECTED] Kwalitee Is Job One O you fat bastard anus clogged (library paste) you're not laughing now -- Halfjack
Re: A better way ?
On Wed, Apr 17, 2002 at 07:59:22PM -0400, Michael G Schwern wrote: Just because the safety is on doesn't mean you should juggle handguns. Never know whose foot it'll blow off. Awww. You're no fun. -- Paul Johnson - [EMAIL PROTECTED] http://www.pjcj.net