GPL Perl Blog

Thread: GPL Perl Blog

Search this list only Search all lists
GPL Perl Blog
United States	2008-03-01 07:31:01

I'M WORKING ON A PERL BLOG. I'VE PUBLISHED IT ON SOURCEFORGE. IT'S GPL'D BUT... IT JUST DON'T WORK. I GOT AN ERROR WHILE EDITING: INSECURE DEPENDENCY IN OPEN WHILE RUNNING WITH -T SWITCH AT /USR/LIB/CGI-BIN/INDEX.PL LINE 136. AND... THE MAIN THING IS I'M REWRITING THE PREFERENCES_EDITOR.PL SCRIPT, SOMETHING LIKE THIS: $PREFERENCE1_EXPLANATION=";THIS IS THE FIRST";; LIST=('PREFERENCE1','PREFERENCE2'); FOREACH $ITEM(LIST){ PRINT $ITEM_EXPLANATION; } BUT MEANING THAT WITH $ITEM_EXPLANATION WILL GET $PREFERENCE1_EXPLANATION. -- HTTP://THEXAYON.WORDPRESS.COM QUE LA FUERZA OS ACOMPAñE. -----BEGIN GEEK CODE BLOCK----- VERSION: 3.12 GCS DPU S: A--- C++3;+ UL++++ P++3;+ L+++ E--- W+++ N+++ O+ K- W--- O M+ V- PS+ PE+++ Y PGP++ T--- 5 X+++ R TV+++ B++3;+ DI--- D+++ G+ E- H++ R+++ Y++3;+ ------END GEEK CODE BLOCK------ --XAYON-- LINUX REGISTERED USER #446872 [NON-TEXT PORTIONS OF THIS MESSAGE HAVE BEEN REMOVED] __._,_.___ MESSAGES IN THIS TOPIC (1) REPLY (VIA WEB POST) \| START A NEW TOPIC . __,_._,___
Re: GPL Perl Blog
United States	2008-03-01 08:36:49

On Sat, Mar 1, 2008 at 8:31 AM, David Francos < yo.orco%40gmail.com">yo.orcogmail.com> wrote: > > I'm working on a perl blog. I've published it on sourceforge. It's GPL'd > but... it just don't work. > I got an error while editing: > Insecure dependency in open while running with -T switch > at /usr/lib/cgi-bin/index.pl line 136. That means you're using open() in an insecure manner. It would have helped if you showed us line 136, but I'm guessing you're opening a file and the filename is gotten from somewhere outside your program. In other words, it's tainted! See perldoc perlsec for more details, or even Google the error message ("Insecure dependency in open while running with -T switch"). > And... the main thing is I'm rewriting the preferences_editor.pl script, > something like this: > > $preference1_explanation=";this is the first";; > list=('preference1','preference2'); >; foreach $item(list){ > print $item_explanation; > } > But meaning that with $item_explanation will get > $preference1_explanation. That's a "soft reference", which are icky. You want a hash, really. my %explanation = ( preference1 => "message", preference2 => "message", preference3 => "blah blah", # ... ); my list = ('preference1', 'preference2'); foreach my $item (list) { print $explanation{$item}; } >; > -- > http://thexayon.wordpress.com > > Que la fuerza os acompañe. > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 >; GCS dpu s: a--- C++3;+ UL++++ P++3;+ L+++ E--- W+++ N+++ o+ K- w--- >; O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b++3;+ DI--- D+++ > G+ e- h++ r+++ y++3;+ > ------END GEEK CODE BLOCK------ > > --XayOn-- > > Linux registered user #446872 > > [Non-text portions of this message have been removed] > >; -- [Mary said,] "Do whatever he tells you." ~ John 2:5 The Cross Reference - http://thecrossreference.blogspot.com/ Nos autem praedicamus Christum crucifixum (1 Cor 1:23) [Non-text portions of this message have been removed] __._,_.___ Messages in this topic (2) Reply (via web post) \| Start a new topic . __,_._,___
Re: GPL Perl Blog
United States	2008-03-01 09:41:52

ON SáB, 2008-03-01 AT 09:36 -0500, JEFF PINYAN WROTE: &GT; ON SAT, MAR 1, 2008 AT 8:31 AM, DAVID FRANCOS < YO.ORCO%40GMAIL.COM">YO.ORCOGMAIL.COM> >; WROTE: &GT; > >; > I'M WORKING ON A PERL BLOG. I'VE PUBLISHED IT ON SOURCEFORGE. IT'S >; GPL'D &GT; > BUT... IT JUST DON'T WORK. &GT; > I GOT AN ERROR WHILE EDITING: > > INSECURE DEPENDENCY IN OPEN WHILE RUNNING WITH -T SWITCH &GT; > AT /USR/LIB/CGI-BIN/INDEX.PL LINE 136. >; > THAT MEANS YOU'RE USING OPEN() IN AN INSECURE MANNER. IT WOULD HAVE >; HELPED &GT; IF YOU SHOWED US LINE 136, BUT I'M GUESSING YOU'RE OPENING A FILE AND > THE > FILENAME IS GOTTEN FROM SOMEWHERE OUTSIDE YOUR PROGRAM. IN OTHER &GT; WORDS, &GT; IT'S TAINTED! SEE PERLDOC PERLSEC FOR MORE DETAILS, OR EVEN GOOGLE &GT; THE > ERROR MESSAGE ("INSECURE DEPENDENCY IN OPEN WHILE RUNNING WITH -T > SWITCH&QUOT;). I'M SORRY, YES THAT WAS WHAT I TOUGH BUT I DIDN'T GET WHAT I WAS LOOKING FOR ON GOOGLE, NEXT TIME I'LL REMEMBER PERLSEC. THE CODE IN QUESTION IS TAINTED: $FILE=$CGI->PARAM('NEWID'); --> NOT EXACTLY, ITS $NEWPATH/$NEWID AND NEWID IS FILTERED TO REMOVE "../&QUOT; FROM IT, AND I'VE TOUGHT ON JUST REMOVE EVERYTHING BUT NUMBERS, OR GIVE AN ERROR IF SOMETHING ELSE THAN A NUMBER IS GIVEN (NEWID IS ALWAYS A NUMBER) > > AND... THE MAIN THING IS I'M REWRITING THE PREFERENCES_EDITOR.PL > SCRIPT, > > SOMETHING LIKE THIS: &GT; > >; > $PREFERENCE1_EXPLANATION=";THIS IS THE FIRST";; > > LIST=('PREFERENCE1','PREFERENCE2'); >; > FOREACH $ITEM(LIST){ > > PRINT $ITEM_EXPLANATION; > > } > > BUT MEANING THAT WITH $ITEM_EXPLANATION WILL GET > > $PREFERENCE1_EXPLANATION. >; > THAT'S A "SOFT REFERENCE&QUOT;, WHICH ARE ICKY. YOU WANT A HASH, REALLY. > > MY %EXPLANATION = ( > PREFERENCE1 => "MESSAGE", > PREFERENCE2 => "MESSAGE", > PREFERENCE3 => "BLAH BLAH", > # ... > ); > > MY LIST = ('PREFERENCE1', 'PREFERENCE2'); &GT; > FOREACH MY $ITEM (LIST) { > PRINT $EXPLANATION{$ITEM}; > } THAT WAS EXACTLY WHAT I WAS LOOKING FOR, NEVER TOUGH ON THAT, INSTEAD OF MODIFYING THE MAIN SCRIPT, MODIFY THE PREFERENCES ONE. (EXPLANATIONS AND SO ON ARE STORED IN DIFFERENT FILES, THIS WAY I PSEUDO-LOCALIZE IT WITH EXTENSIONS LIKE .EN .ES AND SO ON) THANKS A LOT -- HTTP://THEXAYON.WORDPRESS.COM QUE LA FUERZA OS ACOMPAñE. -----BEGIN GEEK CODE BLOCK----- VERSION: 3.12 GCS DPU S: A--- C++3;+ UL++++ P++3;+ L+++ E--- W+++ N+++ O+ K- W--- O M+ V- PS+ PE+++ Y PGP++ T--- 5 X+++ R TV+++ B++3;+ DI--- D+++ G+ E- H++ R+++ Y++3;+ ------END GEEK CODE BLOCK------ --XAYON-- LINUX REGISTERED USER #446872 [NON-TEXT PORTIONS OF THIS MESSAGE HAVE BEEN REMOVED] __._,_.___ MESSAGES IN THIS TOPIC (3) REPLY (VIA WEB POST) \| START A NEW TOPIC . __,_._,___
Re: GPL Perl Blog
United States	2008-03-01 10:49:56

On Sat, Mar 1, 2008 at 10:41 AM, David Francos < yo.orco%40gmail.com">yo.orcogmail.com> wrote: > I'm Sorry, yes that was what I tough but I didn't get what I was looking > for on google, next time I'll remember perlsec. > The code in question is tainted: $file=$cgi->param('newid'); --> not > exactly, its $newpath/$newid and newid is filtered to remove "../" from >; it, and I've tought on just remove everything but numbers, or give an > error if something else than a number is given (newid is always a > number) Untainting isn't a matter of removing the bad, it's a matter of extracting the good. my $file = $cgi->param('newid'); # $file is tainted because it comes from a HTTP query To untaint $file, you must do more than remove what you don't want: # remove all characters that aren't lowercase letters... $file =~ s/[^a-z]+//g; # $file is STILL tainted! Instead, you must extract what is ok: # if there are one or more lowercase letters, use them as $file's value if ($file =~ /([a-z]+)/) { $file = $1; } else { # complain somehow die "Invalid value for '$file': must contain lowercase letters"; } In your case, you would want to do this: my ($file) = $cgi->param('newid') =~ /(d+)/; If $file is undef after that, then newid had a bad value in it. -- [Mary said,] "Do whatever he tells you." ~ John 2:5 The Cross Reference - http://thecrossreference.blogspot.com/ Nos autem praedicamus Christum crucifixum (1 Cor 1:23) [Non-text portions of this message have been removed] __._,_.___ Messages in this topic (4) Reply (via web post) \| Start a new topic . __,_._,___

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )