Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re^2: Insecure CPAN module in taint mode

by Bod (Curate)
on Jul 06, 2021 at 21:33 UTC ( #11134731=note: print w/replies, xml ) Need Help??


in reply to Re: Insecure CPAN module in taint mode
in thread Insecure CPAN module in taint mode

Thank you - that explains exactly where the problem is...

Would this be a sensible way to untaint $ENV{'PATH'} without losing the portability of the code and without introducing huge security risks?

my $path = $ENV{'PATH'}; $ENV{'PATH'} = undef; foreach my $p(split /:/, $path) { if ($p =~ m!^(/(usr|bin).*)!) { $ENV{'PATH'} .= ':' if $ENV{'PATH'}; $ENV{'PATH'} .= $1; } }

Replies are listed 'Best First'.
Re^3: Insecure CPAN module in taint mode
by afoken (Canon) on Jul 06, 2021 at 22:00 UTC
    sensible way to untaint $ENV{'PATH'} without losing the portability

    Just set $ENV{'PATH'} to /bin:/usr/bin. That's what you get by default when nothing else is set (default set in init, libc, and some other places), and that's where all important binaries can be found. If you need "exotic programs" that are not in /bin or /usr/bin, put their path into the configuration file.

    my $path = $ENV{'PATH'}; $ENV{'PATH'} = undef; foreach my $p(split /:/, $path) { if ($p =~ m!^(/(usr|bin).*)!) { $ENV{'PATH'} .= ':' if $ENV{'PATH'}; $ENV{'PATH'} .= $1; } }

    That looks broken.

    You add every element of PATH to the new PATH if it starts with /usr or /bin. Including /usr/u0/evil.me (that's how HOME once looked like, before /home became common), /binary/garbage, /usr.corrupted, /usr/sbin, /usr/svr4/bin, /usr/etc, and so on.

    Also, why don't you use join to combine the "cleaned" elements?

    Just don't. The predefined PATH is unreliable, that's why perl considers it tainted. Set a sane default, don't try to repair the mess found in PATH. It just makes things worse. /bin:/usr/bin is sane.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      Just don't. The predefined PATH is unreliable, that's why perl considers it tainted

      I was thinking that I didn't know what else or why else the other parts of PATH are. But, I suppose it doesn't really matter as long as I don't want to make use of them which I don't!

      I'll set it to /bin:/usr/bin as you suggest - thanks

Re^3: Insecure CPAN module in taint mode
by pryrt (Monsignor) on Jul 06, 2021 at 21:50 UTC
    Your example code assumes that the entirety of /usr and /bin are inherently safe. I cannot answer for you whether that is true on your webserver (which, IIRC, is a shared hosting server). edit:in light of afoken's additional points, I concur that your snippet was not sufficient./edit

    Further, your example code ignores the remainder of the untainting in my example snippet, and shows that you didn't read the whole of perlsec, nor even the few paragraphs in the section called Cleaning Up Your Path. The delete was there for a reason; that reason was explained in the documentation I linked, but can be summed up in the statement that those other environment variables can affect execution similar to PATH. If you do not follow the complete advice, perl will still consider $ENV{PATH} tainted until you take care of those other environment variables as well.

    But if you believe the assumptions about those paths is valid, and if you have implemented but not shown the other advice mentioned, then your code seems a reasonable way of making sure that only the "safe" path elements are included. edit:struck out; see afoken's additional points for why your code still isn't a reasonable way to trim the PATH/edit

    But, while cleaning up PATH (and the related variables) is advisable from an un-tainting perspective, I think that Corion's advice in Re: Insecure CPAN module in taint mode is still even better: why fork out to an external process unless necessary?

    edit:see inline edits/edit

      and shows that you didn't read the whole of perlsec, nor even the few paragraphs in the section called Cleaning Up Your Path

      I did!
      I put the delete in. Once the error had gone I commented that line out to see if it was necessary and the error did not return. Hence why I didn't include it in the code snippet.

      I think that Corion's advice...

      Good advice it may be. But on this shared hosting (you remembered correctly) it didn't work - Re^2: Insecure CPAN module in taint mode

        I put the delete in. Once the error had gone I commented that line out to see if it was necessary and the error did not return.

        Sorry, since your example didn't include the delete, I interpreted that to mean that you hadn't used it. (I've only got what you show me to go on, so that's not an unreasonable interpretation.)

        My first experiment didn't have the delete but did change the PATH, and it wasn't sufficient to remove the taint message; my second experiment added the delete and the taint message went away; in a later experiment, I accidentally forgot the delete, and the taint message came back. So I don't know how the taint message went away for you. I would personally be worried that it will come back unexpectedly; since it doesn't hurt to leave it in, that would be my recommendation.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11134731]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (2)
As of 2022-05-21 00:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (76 votes). Check out past polls.

    Notices?