Sicheres öffnen von Files in perl

Peter J. Holzer hjp at
Thu Dec 30 02:58:30 CST 1999

Vorbemerkung: Man stelle sich vor, im perl-Fragment unten hätte $ARGV[0]
den Wert '@|rm -rf /', und das in einem suid-Script.

----- Forwarded message from Henrik Edlund <henrik at EDLUND.ORG> -----

Date:         Wed, 29 Dec 1999 16:20:38 +0100
From: Henrik Edlund <henrik at EDLUND.ORG>
Subject:      Re: majordomo local exploit

> - -snip-
> # If the first argument is "@filename", read the real arguments
> # from "filename", and shove them onto the ARGV for later processing
> # by &Getopts()
> #
> if ($ARGV[0] =~ /^\@/) {
>     $fn = shift(@ARGV);
>     $fn =~ s/^@//;
>     open(AV, $fn) || die("open(AV, \"$fn\"): $!\nStopped");
> - -snip-

This security problem is as common as Perl scripts. Perl
programmers should always specify for open what they want to do
(read/write) and just not be lazy and skip that when they want to
read. A simple fix like:

open(AV, "< $fn") || die("open(AV, \"< $fn\"): $!\nStopped");

should fix this problem. As we specify that we are reading by
using the < (less than) the script will simple choke and say that
it can't open the filename starting with a | (pipe), instead of
running the filename. There is no need, I believe, to use the
sysopen function as someone else suggested earlier.

I believe this security hole has been covered in some other
advisory concerning all Perl (especially CGI) scripts.

Henrik Edlund

  "They were in the wrong place at the wrong time.
Naturally they became heroes."
                  Leia Organa of Alderaan, Senator

----- End forwarded message -----

   _  | Peter J. Holzer             | Nobody should ever have to be
|_|_) | Sysadmin WSR / Obmann LUGA  | ashamed if they have a secret love
| |   | hjp at               | for writing computer programs that
__/   | | actually work.  -- Donald E. Knuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 371 bytes
Desc: not available
Url :

More information about the Vienna-pm mailing list