From: Jarkko Hietaniemi Date: Sat, 18 Mar 2000 19:56:12 +0000 (+0000) Subject: Taint the shell from the getpw*. X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=4602f195a9a943db1cd284ff4af1bcdb58f98ead;p=p5sagit%2Fp5-mst-13.2.git Taint the shell from the getpw*. p4raw-id: //depot/cfgperl@5805 --- diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 39bb033..8904889 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -206,6 +206,11 @@ will produce different results on platforms that have different $Config{ivsize}. For portability, be sure to mask off the excess bits in the result of unary C<~>, e.g., C<~$x & 0xffffffff>. +=head2 The shell returned by the getpwxxx() is now tainted + +Because the user can affect her own login shell the shell returned +by the getpwent(), getpwnam(), and getpwuid() functions is tainted. + =back =head2 C Source Incompatibilities diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod index f14b8bb..2c55a95 100644 --- a/pod/perlfunc.pod +++ b/pod/perlfunc.pod @@ -1859,6 +1859,13 @@ various get routines are as follows: (If the entry doesn't exist you get a null list.) +The exact meaning of the $gcos field varies but it usually contains +the real name of the user (as opposed to the login name) and other +information pertaining to the user. Beware, however, that in many +system users are able to change this information and therefore it +cannot be trusted and therefore the $gcos is is tainted (see L). +The $shell, user's login shell, is also tainted, because of the same reason. + In scalar context, you get the name, unless the function was a lookup by name, in which case you get the other thing, whatever it is. (If the entry doesn't exist you get the undefined value.) For example: @@ -1871,26 +1878,25 @@ lookup by name, in which case you get the other thing, whatever it is. $name = getgrent(); #etc. -In I the fields $quota, $comment, and $expire are -special cases in the sense that in many systems they are unsupported. -If the $quota is unsupported, it is an empty scalar. If it is -supported, it usually encodes the disk quota. If the $comment -field is unsupported, it is an empty scalar. If it is supported it -usually encodes some administrative comment about the user. In some -systems the $quota field may be $change or $age, fields that have -to do with password aging. In some systems the $comment field may -be $class. The $expire field, if present, encodes the expiration -period of the account or the password. For the availability and the -exact meaning of these fields in your system, please consult your -getpwnam(3) documentation and your F file. You can also find -out from within Perl what your $quota and $comment fields mean -and whether you have the $expire field by using the C module -and the values C, C, C, C, -and C. Shadow password files are only supported if your -vendor has implemented them in the intuitive fashion that calling the -regular C library routines gets the shadow versions if you're running -under privilege. Those that incorrectly implement a separate library -call are not supported. +In I the fields $quota, $comment, and $expire are special +cases in the sense that in many systems they are unsupported. If the +$quota is unsupported, it is an empty scalar. If it is supported, it +usually encodes the disk quota. If the $comment field is unsupported, +it is an empty scalar. If it is supported it usually encodes some +administrative comment about the user. In some systems the $quota +field may be $change or $age, fields that have to do with password +aging. In some systems the $comment field may be $class. The $expire +field, if present, encodes the expiration period of the account or the +password. For the availability and the exact meaning of these fields +in your system, please consult your getpwnam(3) documentation and your +F file. You can also find out from within Perl what your +$quota and $comment fields mean and whether you have the $expire field +by using the C module and the values C, C, +C, C, and C. Shadow password +files are only supported if your vendor has implemented them in the +intuitive fashion that calling the regular C library routines gets the +shadow versions if you're running under privilege. Those that +incorrectly implement a separate library call are not supported. The $members value returned by I is a space separated list of the login names of the members of the group. diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 4037487..e613165 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -33,16 +33,17 @@ You may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see L), results of certain system calls (readdir, readlink, -the gecos field of getpw* calls), and all file input are marked as -"tainted". Tainted data may not be used directly or indirectly in any -command that invokes a sub-shell, nor in any command that modifies -files, directories, or processes. (B: If you pass -a list of arguments to either C or C, the elements of -that list are B checked for taintedness.) Any variable set -to a value derived from tainted data will itself be tainted, -even if it is logically impossible for the tainted data -to alter the variable. Because taintedness is associated with each -scalar value, some elements of an array can be tainted and others not. +the gecos and shell fields of getpw* calls), and all file input are +marked as "tainted". Tainted data may not be used directly or +indirectly in any command that invokes a sub-shell, nor in any command +that modifies files, directories, or processes. (B: If you pass a list of arguments to either C or +C, the elements of that list are B checked for +taintedness.) Any variable set to a value derived from tainted data +will itself be tainted, even if it is logically impossible for the +tainted data to alter the variable. Because taintedness is associated +with each scalar value, some elements of an array can be tainted and +others not. For example: diff --git a/pp_sys.c b/pp_sys.c index e1d74ae..517a955 100644 --- a/pp_sys.c +++ b/pp_sys.c @@ -4868,6 +4868,10 @@ PP(pp_gpwent) PUSHs(sv = sv_mortalcopy(&PL_sv_no)); sv_setpv(sv, pwent->pw_shell); +#ifndef INCOMPLETE_TAINTS + /* pw_shell is tainted because user himself can diddle with it. */ + SvTAINTED_on(sv); +#endif #ifdef PWEXPIRE PUSHs(sv = sv_mortalcopy(&PL_sv_no));