SPUG: Subroutine references with "strict refs"

Jeremy Devenport jeremy at weezel.com
Fri Oct 13 22:38:57 CDT 2000


If you're writing code like this you should definitely look at running with
taint checking turned on.

In particular the examples below are both big fat security holes.

A small demo of why evaling user input is stupid/wrong:
my $string = qq(foo; print "gotcha sucka\n");
sub foo {
    print qq(do the foo\n);
}
eval "&$string";

and even if you use the { block } form of eval:
my $string = 'some_private_sub';
sub some_private_sub {
    print qq(nobody expects the spanish inquisition\n);
}
sub foo {
    print qq(do the foo\n);
}
eval { &$string };

(not quite as exploitable but still lets anybody run any already defined
sub)


The laundering will solve this security hole but you REALLY need to
understand why you have to launder it.

In short, what you really want to do is switch on the string passed to you,
not magically interpret the user-input string into executable code.

Jeremy


-----Original Message-----
From: owner-spug-list at pm.org [mailto:owner-spug-list at pm.org]On Behalf Of
Dan Ebert
Sent: Friday, October 13, 2000 4:37 PM
To: ced at carios2.ca.boeing.com; spug-list at pm.org
Subject: Re: SPUG: Subroutine references with "strict refs"



Thanks, that seems to have done the trick.

At 03:15 PM 10/13/00 -0700, ced at carios2.ca.boeing.com wrote:
> > I am attempting to call a subroutine with the same name as the "action"
> > parameter.  Here is the snip of code:
>
>
> >      my $action = $in{action}; # $in{action} holds the value of the
> > "action" parameter from the form.
>
> >      eval{ &$action; }; # error trap
> >      if ( ! $@ ){
> >          &$action;
> >      }
> >          else {
> >             # do something with the error
> >          }
>
> > This code works perfectly if I don't use strict; at the beginning of my
> > code, but if I use strict; I get this error:
>
> > Error: Can't use string ("remove") as a subroutine ref while "strict
refs"
> > in use at ....
>
>
> > Any ideas?  The only other way I come up with is using a "Dispatch
table"
> > hash of parameter->references-to-subroutines (as described on p 54 of
> > O'Reilly's Advanced Perl Programing), but I'd rather not do that if
> possible.
>
>There's much to be said for the dispatch table, but if you
>don't mind a slower runtime eval and a bit of do-it-yourself
>laundering, this'll pass strict:
>
>#-- launder the hidden param; ** See perldoc perlsec **
>#-- explicitly allow only sub names
>
>unless ($action =~ /^(?:sub1|sub2|sub3|sub4)$/ ) {
>    die "die evil sub passage....";
>}
>eval "&$action";
>if ( $@ ) {
>    # do something with the error
>}
>
>
>hth,
>--
>Charles DeRykus
>
>  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>      POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
>       Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
>   Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
>  For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
>   Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

--------------------------------------------------
The nice thing about standards is that there are
    so many of them to choose from.
         - Andrew S. Tanenbaum

Dan Ebert   <dan at enic.cc>
eNIC Corporation, www.enic.cc
--------------------------------------------------




 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/




 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/





More information about the spug-list mailing list