X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=pod%2Fperlsec.pod;h=1c2dbd266d47e819b6cf12e262647a92e6596126;hb=890ed176d1ab1cf305ce9634210857cfed305fff;hp=87d1f7b3402ad15b99ccf135da4dbb6a00699fb9;hpb=ee556d553a6eff7ecdc9231bcb7bcb56f26130e7;p=p5sagit%2Fp5-mst-13.2.git diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 87d1f7b..1c2dbd2 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -44,12 +44,24 @@ directories, or processes, B: =item * -If you pass more than one argument to either C or C, -the arguments are B checked for taintedness. +Arguments to C and C are B checked for taintedness. =item * -Arguments to C and C are B checked for taintedness. +Symbolic methods + + $obj->$method(@args); + +and symbolic sub references + + &{$foo}(@args); + $foo->(@args); + +are not checked for taintedness. This requires extra carefulness +unless you want external data to affect your control flow. Unless +you carefully limit what these symbolic values are, people are able +to call functions B your Perl code, such as POSIX::system, +in which case they are able to run arbitrary external code. =back @@ -72,7 +84,8 @@ For example: $data = 'abc'; # Not tainted system "echo $arg"; # Insecure - system "/bin/echo", $arg; # Secure (doesn't use sh) + system "/bin/echo", $arg; # Considered insecure + # (Perl doesn't know about /bin/echo) system "echo $hid"; # Insecure system "echo $data"; # Insecure until PATH set @@ -87,18 +100,18 @@ For example: open(FOO, "< $arg"); # OK - read-only file open(FOO, "> $arg"); # Not OK - trying to write - open(FOO,"echo $arg|"); # Not OK, but... + open(FOO,"echo $arg|"); # Not OK open(FOO,"-|") - or exec 'echo', $arg; # OK + or exec 'echo', $arg; # Also not OK $shout = `echo $arg`; # Insecure, $shout now tainted unlink $data, $arg; # Insecure umask $arg; # Insecure - exec "echo $arg"; # Insecure (uses the shell) - exec "echo", $arg; # Secure (doesn't use the shell) - exec "sh", '-c', $arg; # Considered secure, alas! + exec "echo $arg"; # Insecure + exec "echo", $arg; # Insecure + exec "sh", '-c', $arg; # Very insecure! @files = <*.c>; # insecure (uses readdir() or similar) @files = glob('*.c'); # insecure (uses readdir() or similar) @@ -112,9 +125,7 @@ For example: $arg, `true`; # Insecure (although it isn't really) If you try to do something insecure, you will get a fatal error saying -something like "Insecure dependency" or "Insecure $ENV{PATH}". Note that you -can still write an insecure B or B, but only by explicitly -doing something like the "considered secure" example above. +something like "Insecure dependency" or "Insecure $ENV{PATH}". =head2 Laundering and Detecting Tainted Data @@ -125,10 +136,7 @@ nearby CPAN mirror, and included in Perl starting from the release 5.8.0. Or you may be able to use the following I function. sub is_tainted { - return ! eval { - join('',@_), kill 0; - 1; - }; + return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; } This function makes use of the fact that the presence of tainted data @@ -156,7 +164,7 @@ or a dot. if ($data =~ /^([-\@\w.]+)$/) { $data = $1; # $data now untainted } else { - die "Bad data in $data"; # log this somewhere + die "Bad data in '$data'"; # log this somewhere } This is fairly secure because C doesn't normally match shell @@ -240,7 +248,7 @@ not called with a string that the shell could expand. This is by far the best way to call something that might be subjected to shell escapes: just never call the shell at all. - use English; + use English '-no_match_vars'; die "Can't fork: $!" unless defined($pid = open(KID, "-|")); if ($pid) { # parent while () { @@ -371,6 +379,13 @@ Your access to it does not give you permission to use it blah blah blah." You should see a lawyer to be sure your licence's wording will stand up in court. +=head2 Unicode + +Unicode is a new and complex technology and one may easily overlook +certain security pitfalls. See L for an overview and +L for details, and L for security implications in particular. + =head1 SEE ALSO L for its description of cleaning up environment variables.