For Programmers: Free Programming Magazines  


Home > Archive > PERL Beginners > February 2005 > Securing user data









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Securing user data
Tyson Sommer

2005-02-18, 8:55 pm

Are there any not-so-obvious problems with untainting user input for passing
to the shell with something like (for the sake of simplicity):

# need to be able to use "." and "-" characters as well as
alphanumerics
chomp ( my $input = <STDIN> );
$input =~ s/[^A-Za-z0-9\-\.]//g;

system ("some_system_binary_here $input");

Thanks!
tyson


Tyson Sommer

2005-02-18, 8:55 pm



> -----Original Message-----
> From: Jay [mailto:daggerquill@gmail.com]
> Sent: Friday, February 18, 2005 3:42 PM
> To: tysons@firstcash.com
> Subject: Re: Securing user data
>
> On Fri, 18 Feb 2005 14:33:24 -0600, Tyson Sommer
> <tysons@firstcash.com> wrote:
> input for
> simplicity):
>
> That partly depends on how protable you want to be. You
> might look into posix or unicode classes, e.g. \p{IsAlnum} or
> [:alnum:]. Also, it looks as if you're probably taking a
> filname here, '_' is probably a valid character,

Oh yeah, forgot that one :-)


> and in
> square brackets, '.' is a literal '.' not a metacharacter, so
> it shouldn't be escaped.


Gotcha. Now... will escaping them in the character class actually be
escaping them? Or did I just allow for "\" as well? I'll test it out...
Nope! The result is the same whether I escape "-" with "\" or not. Didn't
allow for "\" and did allow "-" either way. Learning...



> Beyond that, think a little bit about what your application is here.
> Figure out what you're expecting here, and look fo it. Will
> all your filenames have, say, dots and an extension? then
> perform the subtitution and then do 'next unless /.+\..{3}/'.


Basically, that's it. Let's say, just for the sake of argument, that I want
to ping something (that may or may not arbitrarily have "."s, "_"s, and/or
"-"s in its filename in arbitrary positions). I want to make sure a user
can't input something like:

"some_valid_device | some_malicious_code"

So that after it tells the system to run the ping (or whatever) they can't
then trick the system into piping thru some other potentially malicious
program.




> What program are you passing to? Is it a *nix system? How
> will the program react to a bare '-', especially if there's
> nothing further coming on STDIN? Are there situation in
> which the input could be interpreted as an argument, rather
> than a file to open (or vice versa, depending on the
> application)? For instance, if the user enters '-v', will
> that return version information on your program. Could that
> information be abused?


Those are some good points. I should definitely strip any leading "-"s. This
appears to work:

$input =~ s/^-*|[^A-Za-z0-9.-_]//g;


> Some thngs to think about.

Much thanks!

Anyone think of any more potential problems that I might be missing?

Tyson


John W. Krahn

2005-02-19, 3:56 am

Tyson Sommer wrote:
>
> Those are some good points. I should definitely strip any leading "-"s. This
> appears to work:
>
> $input =~ s/^-*|[^A-Za-z0-9.-_]//g;

That could be simplified to:

$input =~ s/^-*|[^a-z.-_]//g;

Because the range [.-_] includes uppercase letters and numbers unless you
really meant to write [^A-Za-z0-9.\-_] or [^A-Za-z0-9._-]? :-)



John
--
use Perl;
program
fulfillment
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com