Quick Search for:  in language:    
   Code/Articles » |  Newest/Best » |  Community » |  Jobs » |  Other » |  Goto » | 
CategoriesSearch Newest CodeCoding ContestCode of the DayAsk A ProJobsUpload
Perl Stats

 Code: 74,273. lines
 Jobs: 24. postings

 How to support the site

Sponsored by:

You are in:

Does your code think in ink?

Latest Code Ticker for Perl.
Click here to see a screenshot of this code!CGIScripter
By David Simpson on 11/24

(Screen Shot)

By Jeff Mills on 11/20

By Jeff Mills on 11/20

Encrypt Password
By Jeff Mills on 11/20

Rock, Paper, Scissors w/ GUI
By Kurt Rudolph on 11/19

Click here to put this ticker on your site!

Add this ticker to your desktop!

Daily Code Email
To join the 'Code of the Day' Mailing List click here!

Affiliate Sites


Patching Security Holes in Unix and Perl


Submitted on: 7/29/2000 11:08:36 PM
By: Found on the World Wide Web 
Level: Advanced
User Rating: By 2 Users
Compatibility:5.0 (all versions), 4.0 (all versions)

Users have accessed this article 5468 times.
     Here's how...


One prime security hole in the Unix/Perl programming environment is the use of system calls to the Unix shell such as eval(), exec(), open(), and system(). These functions are invaluable in performing a number of useful tasks with Web programs, such as interfacing Web pages to databases, search engines, or e-mail. However, use of these system calls allows the possibility of great mischief if care is note taken in their implementation. There are several handy things one can do to avoid disaster:

  1. Avoid the use of system calls unless absolutely necessary.

  2. Scan the arguments sent to these system calls for shell metacharacters and remove them. These metacharacters includ = e:
    & ; ` ' " * ? ~ < > ^
    ( ) [ ] { } $ \n \r

  3. Make sure that all user input arguments are exactly what you expect them to be.

Taint Checking in Perl

One of the most frequent security problems in CGI programs is the inadvertent passing of unchecked user variables to the Unix shell. Perl provides a "taint" checking mechanism that prevents one from doing this. When this mechanism is invoked, any variable that is set by using data from outside the program (such as all data typed in by the user of a Web-based form) is considered "tainted" and cannot be used to affect anything else outside one's program. Tainted variables cannot be used in eval(), system(), exec(), or piped open() calls. If one tries to do so with taint-checking invoked, Perl exits with a warning message.

One can turn on taint checking in version 4 of Perl by using a special version of the Perl interpreter named "taintperl":


In version 5 of Perl, taint checking can be invoked by passing the -T flag to the Perl interpreter:

#!/usr/local/bin/perl5 -T

Once this taint checking has been invoked, one will be unable to use tainted variables with system calls. There is only one way to untaint a tainted variable: by performing a pattern matching operation on it and extracting the matched substrings. For example, if one expects a variable to contain an e-mail address, one can extract an untainted copy of the address with the following Perl commands:

    $untainted_address = $1;

This pattern is designed to extract data of the form: "some combination of letters or numbers, including hyphens and periods" followed by an "@" sign followed by "some other combination of letters or numbers, including hyphens and periods." In other words, this pattern will extract an e-mail address only if it is in the above format.

Implementation of taint checking in a program can require a variable amount of time. For the two programs described here, this time ranged from 30 seconds for the test grading program to half a day's work for the registration and certificate generation program. This large difference was due to the fact that the grader program contains no system calls and the registration/certificate program does. Therefore, adding the -T flag to the first line of the Perl source code allowed the grading program to run under taint checking without any further modification. The registration/certificate program, however, uses a piped open() call to send registration information via e-mail to the RSNA CME staff. It also uses an open() call to write this same registration information to a disk file. Therefore, once the -T flag was added to this program, the program would not run until a number of variables were detainted.

The first step in detainting the registration/certificate program required restriction of the directories that could be searched by the Perl program. This was accomplished by adding the following line near the beginning of the program:

$ENVPATH = '/bin:/usr/bin:/usr/local/bin';

It was then necessary to untaint every one of the user-supplied variables from the registration form before their information could be used by the e-mail or database routines. This was done with pattern matching constructs similar to the example given above for an e-mail address. This pattern was modified slightly for different types of information. Since a user's name typically contains one or more spaces and no "@" characters, the space character was added to the matching pattern, and the "@" character dropped, as in the example below.

$name = $input{'name'};
    $name=~/([\w-. ]+)/;
    $untainted_name = $1; 

Since telephone numbers are often written using parentheses, these characters were added to the matching pattern for telephone numbers, as shown below.

$phone = $input{'phone'};
    $phone=~/([\w-. ()]+)/;
    $untainted_phone = $1;

The differences required for untainting every user-supplied variable in the whole program can be seen by comparing the tainted and untainted versions of the Perl source code for the registration/certificate program.

Other 103 submission(s) by this author


Report Bad Submission
Use this form to notify us if this entry should be deleted (i.e contains no code, is a virus, etc.).
Your Vote!

What do you think of this article(in the Advanced category)?
(The article with your highest vote will win this month's coding contest!)
Excellent  Good  Average  Below Average  Poor See Voting Log
Other User Comments
8/13/2003 7:25:19 PM:Roberto Jiménez
Hi, i hope you can bring some help. I work in a radio station sistem's department, i'm using Quick Time Streaming Server (QTSS) but i have a problem i need to change the 1220 port to another, do you know some solution? Thanks Roberto Jiménez rjimenezt@hotmail.com
Keep the Planet clean! If this comment was disrespectful, please report it:

Add Your Feedback!
Note:Not only will your feedback be posted, but an email will be sent to the code's author in your name.

NOTICE: The author of this article has been kind enough to share it with you.  If you have a criticism, please state it politely or it will be deleted.

For feedback not related to this particular article, please click here.


Categories | Articles and Tutorials | Advanced Search | Recommended Reading | Upload | Newest Code | Code of the Month | Code of the Day | All Time Hall of Fame | Coding Contest | Search for a job | Post a Job | Ask a Pro Discussion Forum | Live Chat | Feedback | Customize | Perl Home | Site Home | Other Sites | About the Site | Feedback | Link to the Site | Awards | Advertising | Privacy

Copyright© 1997 by Exhedra Solutions, Inc. All Rights Reserved.  By using this site you agree to its Terms and Conditions.  Planet Source Code (tm) and the phrase "Dream It. Code It" (tm) are trademarks of Exhedra Solutions, Inc.