Re: Taint mode piped open problem

From: Ben Morrow <ben@xxxxxxxxxxxx>
Date: Sat, 26 Jan 2008 23:26:58 +0000

Quoth Rohit <rohit.makasana@xxxxxxxxx>:

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

Do you have

use warnings;
use strict;

at the top of your script? This probably needs to be

my $processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");

Check the return value of open.
Use three-or-more arg open, *especially* in scripts where security is an
issue.
Use lexical filehandles.

open(my $PSDATA, '-|', '/bin/ps', '-wwwp', $processID)
or die "can't fork ps: $!";

while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

@ARGV is tainted, since it comes from outside your program. This means
$processID is tainted as well, so you can't pass it directly to ps
without checking it first. With your script as it stood (1-arg open),
someone could have passed an argument of '1; rm -rf /' and caused
serious trouble. With multi-arg open this is not possible, but for all
Perl knows there could be other problems with passing arbitrary data to
ps.

There are two possible solutions: preferable would be to use a module
like Proc::ProcessTable rather than parsing the output of ps(1);
alternatively, you need to untaint $ARGV[0] by extracting data from a
pattern match. Something like

my ($processID) = ($ARGV[0] =~ /^(\d+)$/)
or die "invalid pid: $ARGV[0]";

Read perldoc perlsec, and note that you will also (if you aren't
already) need to explicitly set $ENV{PATH} before taint mode will let
you run anything at all.

If I replace $processID to any process id like 250, it works fine.

open(PSDATA, "/bin/ps -wwwp 250 |");

This is because a literal constant like '250' is not from outside your
program, so it isn't tainted. (I guess this means you are already
setting $PATH.)

Ben

.

Follow-Ups:
- Re: Taint mode piped open problem
  - From: Rohit

References:
- Taint mode piped open problem
  - From: Rohit

Prev by Date: Re: Taint mode piped open problem
Next by Date: Re: Parse transcripts on speaker's name and grab subsequent paragraphs
Previous by thread: Re: Taint mode piped open problem
Next by thread: Re: Taint mode piped open problem
Index(es):
- Date
- Thread

Relevant Pages

Taint mode piped open problem
... I am writing perl script with taint mode. ... In which I have to parse PS ... command output using command line argument process ID. ...
(comp.lang.perl.misc)
Re: Taint mode piped open problem
... command output using command line argument process ID. ... With your script as it stood, ... Perl knows there could be other problems with passing arbitrary data to ...
(comp.lang.perl.misc)
Re: OPEN( , Get , or slurping problem
... >I figured out that the reason for my problems was that I run my test ... >script in taint mode. ... Untainting $site: ...
(comp.lang.perl.misc)
Re: Directory Auditing?
... to have file name and redirect this command output to a file like that: ... it's not fantastic but you can base yourself on this to make a better script ...
(comp.os.linux.security)
Re: Directory Auditing?
... to have file name and redirect this command output to a file like that: ... it's not fantastic but you can base yourself on this to make a better script ...
(comp.os.linux.security)