PERL Beginners - Problem with taint mode

Author

Problem with taint mode

Carol Overes

2005-08-23, 6:56 pm

All,

I'm using taint mode and I want to extract an archive on my filesystem.
To untaint the content of the archive file, I'm matching the files in
the archive against a regexp (this regexp is right now '.*' for testing
purposes). This is the error that I get:

Could not create directory '/tmp/untar/test': Insecure dependency in
mkdir while running with -T switch at /usr/lib/perl5/5.8.5/File/Path.pm
line 159.
at ./tar.pl line 23
Could not create directory '/tmp/untar/test': Insecure dependency in
mkdir while running with -T switch at /usr/lib/perl5/5.8.5/File/Path.pm
line 159.
at ./tar.pl line 23

This is my script:

#!/usr/bin/perl -wT

use strict;
use Archive::Tar;

$ENV{"PATH"} = "";

my $updatedir = '/tmp/tar/';
my $updatetar = 'test.tar.gz';
my $updatefile = $updatedir.$updatetar;
my $floppydir = './test/';
my $dir = '/tmp/untar/';

chdir $dir;
my $tar = Archive::Tar->new($updatefile,1);
$tar->error(1);
my @tarlist;
foreach my $item ($tar->list_files()) {
push @tarlist,$1 if $item =~ /(.*)/;
}

foreach my $item (@tarlist) {
$tar->extract_file($item);
}

These are the rights on the directories which are used:

[root@celeste tmp]# ls -al
drwxrwxrwt 5 root root 4096 Aug 23 19:29 .
drwxr-xr-x 24 root root 4096 Jul 30 14:45 ..
drwx------ 2 root root 4096 Aug 23 19:21 tar
-rwxr----- 1 root root 453 Aug 23 19:22 tar.pl
drwx------ 3 root root 4096 Aug 23 19:25 untar

And this is the content of my archive:

[root@celeste tmp]# tar ztvf tar/test.tar.gz
drwx------ root/root 0 2005-08-23 19:16:52 ./test/
-rw------- root/root 5 2005-08-23 19:16:52 ./test/testfile

Can someone explain to me what I'm doing wrong ? Many thanks for any help.

Kind regards,

Carol Overes

Peter Scott

2005-08-23, 6:56 pm

On Tue, 23 Aug 2005 15:25:45 +0200, Carol Overes wrote:
> I'm using taint mode and I want to extract an archive on my filesystem.
> [snip] This is the error that I get:
>
> Could not create directory '/tmp/untar/test': Insecure dependency in
> mkdir while running with -T switch at /usr/lib/perl5/5.8.5/File/Path.pm
> line 159.
> at ./tar.pl line 23
>
> #!/usr/bin/perl -wT
>
> use strict;
> use Archive::Tar;
>
> $ENV{"PATH"} = "";
>
> my $updatedir = '/tmp/tar/';
> my $updatetar = 'test.tar.gz';
> my $updatefile = $updatedir.$updatetar; my $floppydir = './test/';
> my $dir = '/tmp/untar/';
>
> chdir $dir;
> my $tar = Archive::Tar->new($updatefile,1); $tar->error(1);
> my @tarlist;
> foreach my $item ($tar->list_files()) {
> push @tarlist,$1 if $item =~ /(.*)/;
> }
> }
> foreach my $item (@tarlist) {
> $tar->extract_file($item);
> }
> }
>
> Can someone explain to me what I'm doing wrong ? Many thanks for any
> help.

I don't think you're doing anything wrong. Inspecting the source for
Archive::Tar shows that the extract_file() method uses its first argument
as a search term for looking up an entry object, upon which it then
proceeds to call various methods to get its full path, etc. That
instance data not having been untainted, you're hosed.

If you're going to blindly untaint everything anyway, there's no point in
having taint on in the first place. If this is essentially your whole
program, then forget -T and just check for whatever constitutes insecure
in your book. If this is part of a larger program that needs -T for good
reasons, then I see two choices: either use Taint::Runtime from CPAN so
you can temporarily disable taint checking at the appropriate time
(disclaimer: I haven't used that module), or you could try setting a
second argument in extract_file(), which passes the full path you want the
file extracted to. You could figure that out and untaint it. Another
disclaimer: I haven't tried that, but casual perusal of the Archive::Tar
source suggests it is likely to work. And congratulations on taking
security seriously.

--
Peter Scott
http://www.perlmedic.com/
http://www.perldebugged.com/

Sponsored Links