Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Causing code to execute after a regex interpolation #5700

Closed
p5pRT opened this issue Jul 3, 2002 · 3 comments
Closed

Causing code to execute after a regex interpolation #5700

p5pRT opened this issue Jul 3, 2002 · 3 comments
Labels
distro-Solaris type-core

Comments

@p5pRT
Copy link

p5pRT commented Jul 3, 2002

Migrated from rt.perl.org#10023 (status was 'resolved')

Searchable as RT10023$
@p5pRT
Copy link
Author

p5pRT commented Jul 3, 2002

From ton@infonet-europe.net

Created by hostmaster@eqip.net

When (?{}) and co were introduced there was a lot of discussion
about if you had a user provided variable, and you did
/()$user/, the user could cause code to run. So that was forbidden
and needs use re 'eval'

However, along another route the problem returned

perl -we 'sub foo { print "foobar\n" } $x = shift; /$x/' '\p{foo}'
foobar

echo 'print "foobar\n"' > foo.pl; perl -we '$x = shift; /$x/' '\p{foo}'
foobar

Yes, i know -T stops this, and, yes, i know interpolating user variables
is iffy anyways (invalid regex you can catch with an eval, but
a DOS (coredump or effectively infinite CPU time) is always possible).

If you give the full path, -T doesn't even stop it​:
perl -we '$x = shift; /$x/' '\p{/full/path/to/any/perl/file.pl}'

basically you get a remote-controlled "do".

I fear this is a big security hole for quite a few CGI scripts that
allow you to enter full perl regex (even more fun for sites also
allowing file upload)

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.7.0:

Configured by ton at Wed Nov  8 00:26:07 MET 2000.

Summary of my perl5 (revision 5.0 version 7 subversion 0) configuration:
  Platform:
    osname=solaris, osvers=2.7, archname=sun4-solaris
    uname='sunos freya 5.7 generic_106541-12 sun4u sparc sunw,ultra-2 '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
  Compiler:
    cc='gcc', ccflags ='-fno-strict-aliasing -I/opt/gnu/include -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -fomit-frame-pointer -mcpu=ultrasparc', cppflags='-fno-strict-aliasing -I/opt/gnu/include -I/usr/local/include'
    ccversion='', gccversion='egcs-2.91.60 19981201 (egcs-1.1.1 release)', gccosandvers='solaris2.7'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, usemymalloc=y, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags ='-L/opt/gnu/lib -L/usr/local/lib -R/opt/gnu/lib -R/usr/local/lib '
    libpth=/opt/gnu/lib /usr/local/lib  /lib /usr/lib /usr/ccs/lib
    libs=-lsocket -lnsl -lndbm -lgdbm -ldbm -ldb -ldl -lm -lc -lcrypt -lsec
    libc=/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -Wl,-E'
    cccdlflags='-fPIC', lddlflags=' -W,l-E -G -L/opt/gnu/lib -L/usr/local/lib -R/opt/gnu/lib -R/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.7.0:
    /opt/gnu/lib/perl5/5.7.0/sun4-solaris
    /opt/gnu/lib/perl5/5.7.0
    /opt/gnu/lib/perl5/site_perl/5.7.0/sun4-solaris
    /opt/gnu/lib/perl5/site_perl/5.7.0
    /opt/gnu/lib/perl5/site_perl
    .


Environment for perl v5.7.0:
    HOME=/home/ton
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ton/bin.SunOS:/home/ton/bin:/home/ton/bin.SampleSetup:/opt/gnu/share/bin:/opt/gnu/bin:/opt/Acrobat3/bin:/opt/SUNWrtvc/bin:/opt/StarOffice/bin:/usr/local/bin:/usr/local/sbin:/usr/java/bin:/home/oracle/app/oracle/product/8.0.5/bin:/usr/local/games/bin:/usr/X11R6/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:.
    PERL_BADLANG (unset)
    SHELL=/usr/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Jul 4, 2002

From @rgarcia

On 2002.07.03 18​:21 ton@​infonet-europe.net wrote​:

When (?{}) and co were introduced there was a lot of discussion
about if you had a user provided variable, and you did
/()$user/, the user could cause code to run. So that was forbidden
and needs use re 'eval'

However, along another route the problem returned

perl -we 'sub foo { print "foobar\n" } $x = shift; /$x/' '\p{foo}'
foobar

5.8.0 RC2 doesn't give this result : it prints nothing.

@p5pRT
Copy link
Author

p5pRT commented Jul 4, 2008

p5p@spam.wizbit.be - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Jul 4, 2008
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Solaris type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT