[tpm] Re. Tainted data

Tom Legrady legrady at gmail.com
Wed Apr 11 00:47:37 PDT 2012


I'm generally dubious of constructs like "if $language ne 'english'".
(Besides, should be "lc $language") .. are you certain there will never be
another language ... Gernan .. Cree ...

On a Hungarian keyboard from Budapest

Tom

On Mon, Apr 9, 2012 at 6:10 PM, Chris Jones <cj at enersave.ca> wrote:

> So to confirm:
>
> my $language = <data from outside the program>;
>
> my $index = "index.html";
>
> if( $language ne "english" )
> {
>        $index = "indexo.html"
> }
>
> # $index is now tainted and
>
> <a href="$index">
>
> # throws and error when selected by the user
>
> If that summarizes my issue, it certainly explains the problems I have
> been having.
>
> A follow on question:
> Is data retrieved from a database considered tainted?  The application
> uses data retrieved from a mysql database.  Would this data also be
> considered tainted?
> The program uses DBI, DBD-mysql.
>
>
>
>
>
> At 11:48 PM 06/04/2012, Liam R E Quin wrote:
>
>> On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:
>> > Uri
>> > Thanks again for your help.  I have one question about untainting
>> > then files before opening.
>> >
>> > Would not the split untaint the data:
>> > my( $key, $value ) = split /\t/ ;
>>
>> No.
>>
>> The only ways to untaint data are to use them as keys in a hash (so $key
>> is OK here, but $value is not) or to pick them out of a regular
>> expression match with $1, $2, etc.
>> The point of marking input data as tainted is so you can catch things
>> like,
>> my ($filename, $info) = split;
>> system("ls $filename");
>> and have filename be "/etc/group;reboot;" or something
>>
>> see "perldoc perlsec" for more info.
>>
>> >
>> > As long as there is no bad characters in the data that should untaint
>> it?
>> > Again the input config file contains:
>> > infilename      ../input
>> > outfilename     ../output
>> >
>> > If I use:
>> > my $outfilename = "$confighash{outfilename}";
>> > my $modfilename = "$outfiilename".".mod";  #add the extension
>> >
>> > Would not $modfilename be untainted?
>> no. Also watch for the two i's in outfiilename.
>>
>> The general principle is that data from outside your program cannot be
>> trusted (whereas data from inside your program _probably_ shouldn't be
>> trusted :-)) and untrusted data must never be allowed to affect the
>> world outside your program.  Yes, your data file might be safe, but what
>> if it wasn't? How does Perl know?
>>
>> [...]
>> > Which leads to a question about declaring variable and scope:
>> > my( $key, $value ) = split /\t/ ;
>> >
>> > Are these two variables in scope each time through the loop?  That is
>> > why I declared them outside the while loop in my original version.
>>
>> They are in scope, yes -- but if you have
>>
>> while ($sun_shines) {
>>    my $cider = split;
>>    . . .
>> }
>>
>> then there's a new $cider made each time around the loop.
>>
>> Hope that helps.
>>
>> Liam
>>
>> --
>> Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
>> Pictures from old books: http://fromoldbooks.org/
>>
>
> >>
> Christopher Jones, P.Eng.
> Suite 1801, 1 Yonge Street
> Toronto, ON M5E1W7
> Tel. 416-203-7465
> Fax. 416-946-1005
> email cj at enersave.ca
>
> ______________________________**_________________
> toronto-pm mailing list
> toronto-pm at pm.org
> http://mail.pm.org/mailman/**listinfo/toronto-pm<http://mail.pm.org/mailman/listinfo/toronto-pm>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/toronto-pm/attachments/20120411/e9c1bb2e/attachment.html>


More information about the toronto-pm mailing list