[Melbourne-pm] security hole

Raphael Alla raphael.alla at gmail.com
Mon Jan 30 17:40:34 PST 2006


Hi Paul,

my query was actually generated from the material coming from your own web
site! I think I understand better the security issues now.

I have thought of some other solutions than using a hash table. Having to
maintain the hash table can be cumbersome to maintain or not applicable to
all situations.

Solution 1: use a namespace convention such as

&("namespace_name_" . $sub}();

But this leaves the call by reference.

Solution 2: Use tags to flag which one are the subs which can be called from
the outside and build the hashtable "on the fly" at execution time. This
seems to be similar to what Catalyst does.

for instance:

#!/usr/bin/perl
use safe_call;

sub can_be_called: Callable { ...... }

my $sub = $ENV{QUERY_STRING};
safe_call($sub);

and in safe_call.pm

my %symcache;
my @declarations;
my $identified = 0;
my %callable;

#from Attribute::Handlers
sub findsym {
        my ($pkg, $ref) = @_;
        return $symcache{$pkg,$ref} if $symcache{$pkg,$ref};
        $type ||= ref($ref);
        foreach my $sym ( values %{$pkg."::"} ) {
          if (*{$sym}{$type} && *{$sym}{$type} == $ref) {
            $callable{ *{$sym}{NAME} } = 1;
            #print "added ", *{$sym}{NAME}, "\n";
            $symcache{$pkg,$ref} = \$sym
          }
        }
}

#just stores the declarations for later identification
sub MODIFY_CODE_ATTRIBUTES
{
  my ($module, $ref, @attributes) = @_;
  my @other_attr;
  foreach (@attributes) {
    if ($_ eq "Callable") { push @declarations, [ $module, $ref ]; }
    else { push @other_attr, $_;};
  }
  return @other_attr;

}

sub identify
{
  foreach (@declarations) {
    findsym @$_[0,1];
  }
  $identified = 1;
}

sub safe_call {
  identify() unless $identified;
  $sub_name = shift;
  if ($callable{$sub_name}) {
    &{$sub_name};
  }
  else {
   die "Trying to call unallowed sub $sub_name \n";
 }
}

1;

I am sure that the above can be improved.

R.

On 1/31/06, Paul Fenwick <pjf at perltraining.com.au> wrote:
>
> G'day Raphael,
>
> Raphael Alla wrote:
>
> > *#!/usr/bin/perl
> > my $sub = $ENV{QUERY_STRING};
> > &{$sub};
>
> This code warrants that every subroutine from every module and library you
> have
> loaded is perfectly safe to be called without arguments by a hostile
> attacker.
> That's a very big warrant.
>
> &{$sub} does not in any way restrict you to your own package.  If your
> subroutine specifies a subroutine in another package (eg:
> 'Dangerous::Package::Kaboom') then that *will* be called.
>
> To make matters worse, the use of &{...} syntax results in the contents of
> @_
> being passed implicitly to the subroutine, something which not many people
> expect.
>
> This code has two fundamental problems, even if there are some
> circumstances
> where you may not be able to exploit them:
>
>         * It results in action from a distance.  Any subroutine from any
>           module could be called, making it *very* hard to determine all
>           possible execution paths.  This is not only very bad for
> security,
>           it also makes debugging and maintenance difficult.  This is
> reason
>           enough to never ever use symbolic references.
>
>         * It is the antithesis to 'deny by default'.  Any potential hole
>           elsewhere in the program is magnified greatly by the code above.
>
> I personally would never allow such code past review, let alone run in a
> security sensitive context.
>
> All the best,
>
>         Paul
>
> --
> Paul Fenwick <pjf at perltraining.com.au> | http://perltraining.com.au/
> Director of Training                   | Ph:  +61 3 9354 6001
> Perl Training Australia                | Fax: +61 3 9354 2681
> _______________________________________________
> Melbourne-pm mailing list
> Melbourne-pm at pm.org
> http://mail.pm.org/mailman/listinfo/melbourne-pm
>



--
Raphael Alla
Mitija Australia
+61 4 15 678 576

Premium open source accounting for Australia
http://www.thetravelingaccountant.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pm.org/pipermail/melbourne-pm/attachments/20060131/add5692d/attachment.html


More information about the Melbourne-pm mailing list