[Melbourne-pm] security hole
Raphael Alla
raphael at mitija.com
Mon Jan 30 18:57:42 PST 2006
Hi,
your code will not work in all circumstances. In particular, the way
attribute work is that the MODIFY_*_ATTRIBUTE function is called during the
BEGIN stage of the compilation process at a stage in which subroutines have
not yet been given a name.
The Attributes::Handler module works around that by calling the "find_sym"
function during the CHECK compilation phase to identify what are the name of
the syms. The function they use is the same one I have reused.
Now, if you put your code in a module, let's say safe_call.pm, then the
identification of module will take place during the compilation of
safe_call.pm, and not during the compilation of t.pl. All subs will be
identified as ANON.
file t.pl:
#!/usr/bin/perl
use safe_call;
sub this_is_ok: Callable {...}
__END__
In the code which I propose, the find_sym sub is called at the first access
to the safe_call() sub, which is after the compilation time.
Your code would work if the sub this_is_ok is part of the file for which the
function sub Callable: ATTR is defined.
Part of the difficulty stems from the fact that the MODIFY_*_ATTRIBUTE
function is not called with a glob as a parameter but with a reference to
the code instead. The glob must be found by doing a search through the
symbol table, which is cumbersome.
This could be the subject of an interesting, yet technical, lightning talk!
Cheers
R.
On 1/31/06, Paul Fenwick <pjf at perltraining.com.au> wrote:
>
> G'day Raphael,
>
> Raphael Alla wrote:
>
> > my query was actually generated from the material coming from your own
> web
> > site! I think I understand better the security issues now.
>
> Good... I hope... ;) Would this be from our sample chapter from the Perl
> Security course? The one that discusses that if you turn off strict then
> taint
> mode won't save you from calling subroutines by symbolic reference?
>
> > Solution 1: use a namespace convention such as
> >
> > &("namespace_name_" . $sub}();
> >
> > But this leaves the call by reference.
>
> Indeed, and if 'namespace_name' is a package (the most obvious choice)
> there's
> still a risk that a module that has been use'd has exported subroutines
> into
> that package.
>
> > Solution 2: Use tags to flag which one are the subs which can be called
> from
> > the outside and build the hashtable "on the fly" at execution time. This
> > seems to be similar to what Catalyst does.
>
> [snip]
>
> The trouble here is making it 'obviously correct'. Luckily, using
> Attribute::Handlers is a good way of going about
> this. Attribute::Handlers
> allows you to write subroutines which will then act when something with
> that
> attribute is declared.
>
> The following *untested* code, with no warranty, provides an example of
> how we
> can catch all subroutines declared with the 'Callable' attribute, and add
> them
> to a hash of (name => coderef) pairs.
>
> #!/usr/bin/perl -w
> use strict;
>
> use Attribute::Handlers;
>
> my %callable;
>
> # Remember subroutines marked as 'Callable' and place them into the
> # %callable hash declared above. This code does *not* examine the package
> # into which such subroutines are declared. $_[0] contains the package
> # name if this is required.
>
> sub Callable :ATTR {
> my (undef, $glob, $sub_ref, undef, undef, undef) = @_;
>
> if (ref($sub_ref) ne 'CODE') {
> croak q{'Callable' attribute set on non-subroutine};
> }
>
> if ($glob eq 'ANON') {
> croak q{'Callable' attribute set on anonymous subroutine};
> }
>
> # Find the name of the subroutine (technically the typeglob
> # it was entered into). Note this does not provide the package
> # name.
>
> my $name = *{$glob}{NAME}
> or die "Internal error: subroutine with no name";
>
> # Now plug our name -> coderef into our hash.
>
> $callable{$name} = $sub_ref;
>
> return;
>
> }
>
> __END__
>
> Cheerio,
>
> Paul
>
> --
> Paul Fenwick <pjf at perltraining.com.au> | http://perltraining.com.au/
> Director of Training | Ph: +61 3 9354 6001
> Perl Training Australia | Fax: +61 3 9354 2681
>
--
Raphael Alla
Mitija Australia
+61 4 15 678 576
Premium open source accounting for Australia
http://www.thetravelingaccountant.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pm.org/pipermail/melbourne-pm/attachments/20060131/1532be61/attachment.html
More information about the Melbourne-pm
mailing list