[tpm] Re. Tainted data

Chris Jones cj at enersave.ca
Mon Apr 9 09:10:17 PDT 2012


So to confirm:

my $language = <data from outside the program>;

my $index = "index.html";

if( $language ne "english" )
{
         $index = "indexo.html"
}

# $index is now tainted and

<a href="$index">

# throws and error when selected by the user

If that summarizes my issue, it certainly explains the problems I 
have been having.

A follow on question:
Is data retrieved from a database considered tainted?  The 
application uses data retrieved from a mysql database.  Would this 
data also be considered tainted?
The program uses DBI, DBD-mysql.





At 11:48 PM 06/04/2012, Liam R E Quin wrote:
>On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:
> > Uri
> > Thanks again for your help.  I have one question about untainting
> > then files before opening.
> >
> > Would not the split untaint the data:
> > my( $key, $value ) = split /\t/ ;
>
>No.
>
>The only ways to untaint data are to use them as keys in a hash (so $key
>is OK here, but $value is not) or to pick them out of a regular
>expression match with $1, $2, etc.
>The point of marking input data as tainted is so you can catch things
>like,
>my ($filename, $info) = split;
>system("ls $filename");
>and have filename be "/etc/group;reboot;" or something
>
>see "perldoc perlsec" for more info.
>
> >
> > As long as there is no bad characters in the data that should untaint it?
> > Again the input config file contains:
> > infilename      ../input
> > outfilename     ../output
> >
> > If I use:
> > my $outfilename = "$confighash{outfilename}";
> > my $modfilename = "$outfiilename".".mod";  #add the extension
> >
> > Would not $modfilename be untainted?
>no. Also watch for the two i's in outfiilename.
>
>The general principle is that data from outside your program cannot be
>trusted (whereas data from inside your program _probably_ shouldn't be
>trusted :-)) and untrusted data must never be allowed to affect the
>world outside your program.  Yes, your data file might be safe, but what
>if it wasn't? How does Perl know?
>
>[...]
> > Which leads to a question about declaring variable and scope:
> > my( $key, $value ) = split /\t/ ;
> >
> > Are these two variables in scope each time through the loop?  That is
> > why I declared them outside the while loop in my original version.
>
>They are in scope, yes -- but if you have
>
>while ($sun_shines) {
>     my $cider = split;
>     . . .
>}
>
>then there's a new $cider made each time around the loop.
>
>Hope that helps.
>
>Liam
>
>--
>Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
>Pictures from old books: http://fromoldbooks.org/

 >>
Christopher Jones, P.Eng.
Suite 1801, 1 Yonge Street
Toronto, ON M5E1W7
Tel. 416-203-7465
Fax. 416-946-1005
email cj at enersave.ca



More information about the toronto-pm mailing list