[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]

Re: [ID 19991230.004] Phrack finds a major perl bug

From: Russ Allbery <rra@stanford.edu>
To: ap296@torfree.net
Cc: perl5-porters@perl.org
Date: 30 Dec 1999 12:44:32 -0800
Message-ID: <ylyaac40r3.fsf@windlord.stanford.edu>

ap296 <ap296@torfree.net> writes:

> Phrack finds a major perl bug:
> http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2

If you're actually trying to be helpful, providing some actual details on
what you think is a Perl bug would be nicer.  None of the three items
listed on that page are actually called bugs in Perl.

To summarize for p5p, the first item on that page is a discussion of
weirdness related to adding nul characters to strings that will be passed
to system calls.  The example used was passing "rfp\0" as a file name to a
script that only opens files ending in .db, so that Perl would try to open
"rfp\0.db" and actually open "rfp".  This is probably worth a note in the
documentation; it's generally hard to get nul characters into situations
where this could be a problem, but it is possible with CGI scripts as the
article points out.  Just use %00.  This one may be somewhat more
interesting than the others given that it also affects sysopen().

The offered additional example, the fact that "root" and "root\0" compare
as inequal in Perl but are treated the same by system calls, is very
artificial and manufactured given that one doesn't generally ever pass a
username to a system call anyway (one uses UIDs instead).

The second item is a discussion of shell metacharacters and pointing out
that it's necessary to escape backslashes as well as other metacharacters.
No Perl bugs here.

The third item reduces basically to "people don't realize open is magic."
This is clearly documented in Perl's documentation and isn't a bug, and
we've had this argument on this list before.

The fourth item is a catalog of the insecurities in several Perl CGI
scripts pulled off the web, most of which appear not to use the CGI
module, not to run with tainting turned on, and are generally bad examples
of Perl programming.

-- 
Russ Allbery (rra@stanford.edu)         <URL:http://www.eyrie.org/~eagle/>

Follow-Ups from:: Chip Salzenberg <chip@valinux.com>

References to:: ap296@torfree.net

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]