[Melbourne-pm] security hole

Paul Fenwick pjf at perltraining.com.au
Tue Jan 31 04:54:23 PST 2006

G'day Raphael,

Raphael Alla wrote:

> *#!/usr/bin/perl
> my $sub = $ENV{QUERY_STRING};
> &{$sub};

This code warrants that every subroutine from every module and library you have
loaded is perfectly safe to be called without arguments by a hostile attacker.
That's a very big warrant.

&{$sub} does not in any way restrict you to your own package.  If your
subroutine specifies a subroutine in another package (eg:
'Dangerous::Package::Kaboom') then that *will* be called.

To make matters worse, the use of &{...} syntax results in the contents of @_
being passed implicitly to the subroutine, something which not many people expect.

This code has two fundamental problems, even if there are some circumstances
where you may not be able to exploit them:

	* It results in action from a distance.  Any subroutine from any
	  module could be called, making it *very* hard to determine all
	  possible execution paths.  This is not only very bad for security,
	  it also makes debugging and maintenance difficult.  This is reason
	  enough to never ever use symbolic references.

	* It is the antithesis to 'deny by default'.  Any potential hole
	  elsewhere in the program is magnified greatly by the code above.

I personally would never allow such code past review, let alone run in a
security sensitive context.

All the best,


Paul Fenwick <pjf at perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681

More information about the Melbourne-pm mailing list