Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Insecure CPAN module in taint mode

by kcott (Bishop)
on Jul 07, 2021 at 04:30 UTC ( #11134747=note: print w/replies, xml ) Need Help??


in reply to Insecure CPAN module in taint mode

G'day Bod,

I didn't see it mentioned anywhere in the thread, so I thought I'd point out a general problem that you could be experiencing.

Here's a taint_test module:

$ cat taint_test.pm package taint_test; use strict; use warnings; chdir +(split /:/, $ENV{PATH})[0];

Here's a script that tries to clean $ENV{PATH}:

$ cat check_taint_1.pl use strict; use warnings; $ENV{PATH} = '/bin:/usr/bin'; use lib '.'; use taint_test;

But that fails:

$ perl -T check_taint_1.pl Insecure dependency in chdir while running with -T switch at taint_tes +t.pm line 6. Compilation failed in require at check_taint_1.pl line 6. BEGIN failed--compilation aborted at check_taint_1.pl line 6. $

The problem here is that the assignment to $ENV{PATH} occurs at runtime, whereas loading taint_test occurs at compile time. The order of the statements makes no difference: compile time happens before runtime.

Here's a subtly different version of the first script:

$ cat check_taint_2.pl use strict; use warnings; BEGIN { $ENV{PATH} = '/bin:/usr/bin'; } use lib '.'; use taint_test;

And this one works:

$ perl -T check_taint_2.pl $

Both assignment and loading occur at compile time; the order of the statements now matters.

Here's a third version of the script with the order of statements changed:

$ cat check_taint_3.pl use strict; use warnings; use lib '.'; use taint_test; BEGIN { $ENV{PATH} = '/bin:/usr/bin'; }

And, as expected, this fails:

$ perl -T check_taint_3.pl Insecure dependency in chdir while running with -T switch at taint_tes +t.pm line 6. Compilation failed in require at check_taint_3.pl line 5. BEGIN failed--compilation aborted at check_taint_3.pl line 5. $

Bear this in mind for things other than untainting $ENV{PATH}.

— Ken

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11134747]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (3)
As of 2022-05-28 01:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (98 votes). Check out past polls.

    Notices?