Taint mode and PERL5LIB

Discussion in 'Perl Misc' started by kj, Jun 11, 2004.

  1. kj

    kj Guest

    When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    This presents a problem to CGI scripts that want to run in taint
    mode but need libraries installed in directories not mentioned in
    the default value of @INC [1].

    Then again, is running under taint mode really necessary past the
    development and testing phase? In other words, is taint mode
    anything more than an additional check that the developer can make
    prior to releasing the code to make sure that there are no security
    gaps in the code, but once the code passes, taint mode can be safely
    turned off?

    Thanks!

    kj

    [1] I realize that I could add appropriate "use lib /path/to/my/libs"
    lines to the CGI scripts, but at installation time this is a royal
    pain, especially if many CGI scripts are involved, since every user
    installing this software would have to mung these lines in all its
    CGI scripts. At the very least, make would have to do the munging,
    which gives me the creeps; I'd prefer to find some other solution.

    --
    NOTE: In my address everything before the period is backwards.
    kj, Jun 11, 2004
    #1
    1. Advertising

  2. kj

    Ben Morrow Guest

    Quoth kj <>:
    >
    > When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    > This presents a problem to CGI scripts that want to run in taint
    > mode but need libraries installed in directories not mentioned in
    > the default value of @INC [1].
    >
    > Then again, is running under taint mode really necessary past the
    > development and testing phase? In other words, is taint mode
    > anything more than an additional check that the developer can make
    > prior to releasing the code to make sure that there are no security
    > gaps in the code, but once the code passes, taint mode can be safely
    > turned off?


    No.

    > [1] I realize that I could add appropriate "use lib /path/to/my/libs"
    > lines to the CGI scripts, but at installation time this is a royal
    > pain, especially if many CGI scripts are involved, since every user
    > installing this software would have to mung these lines in all its
    > CGI scripts. At the very least, make would have to do the munging,
    > which gives me the creeps; I'd prefer to find some other solution.


    I am presuming you are looking for a solution you can write into new
    scripts, rather than one which will work with existing ones?

    At the start of each script, examine $ENV{PERL5LIB}, untaint it, check
    that its value looks like a reasonable Perl library dir, etc., split it
    on colons and 'use lib'. You can (obviously) put all this in a module,
    so you can just say something like

    use MyApp::perl5Lib;

    at the top of each individual script.

    Ben

    --
    And if you wanna make sense / Whatcha looking at me for? (Fiona Apple)
    * *
    Ben Morrow, Jun 12, 2004
    #2
    1. Advertising

  3. Ben Morrow wrote:
    > Quoth kj <>:
    >
    >>When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    >>This presents a problem to CGI scripts that want to run in taint
    >>mode but need libraries installed in directories not mentioned in
    >>the default value of @INC [1].
    >>
    >>Then again, is running under taint mode really necessary past the
    >>development and testing phase? In other words, is taint mode
    >>anything more than an additional check that the developer can make
    >>prior to releasing the code to make sure that there are no security
    >>gaps in the code, but once the code passes, taint mode can be safely
    >>turned off?

    >
    >
    > No.


    That is interesting. According to the Perl taint faq i found
    (http://gunther.web66.com/FAQS/taintmode.html):

    Run-time checking means that you need to test all logical paths of
    execution your script might take so that "legal operations" do not
    get halted because of taint mode.

    I get the impression that if the testing is thorough enough, taint
    mode could be turned off for release code. I do *not* argue that
    it *should* be turned off, I am just curious to know if there are
    situations after testing which could cause taint to fail, for
    instance that it would object to the contents of input, despite
    untainting?

    Kind regards,

    /Gunnar
    Gunnar Strand, Jun 12, 2004
    #3
  4. kj

    Ben Morrow Guest

    Quoth Gunnar Strand <>:
    > Ben Morrow wrote:
    > > Quoth kj <>:
    > >
    > >>When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    > >>This presents a problem to CGI scripts that want to run in taint
    > >>mode but need libraries installed in directories not mentioned in
    > >>the default value of @INC [1].
    > >>
    > >>Then again, is running under taint mode really necessary past the
    > >>development and testing phase? In other words, is taint mode
    > >>anything more than an additional check that the developer can make
    > >>prior to releasing the code to make sure that there are no security
    > >>gaps in the code, but once the code passes, taint mode can be safely
    > >>turned off?

    > >
    > >
    > > No.

    >
    > That is interesting. According to the Perl taint faq i found
    > (http://gunther.web66.com/FAQS/taintmode.html):
    >
    > Run-time checking means that you need to test all logical paths of
    > execution your script might take so that "legal operations" do not
    > get halted because of taint mode.
    >
    > I get the impression that if the testing is thorough enough, taint
    > mode could be turned off for release code.


    In theory, if you were sufficiently confident that you had tested every
    code path, you could turn it off with no loss of safety: as you say, if
    tainting is never going to fail, there is no need for it.

    However, defensive programming practices would recommend assumming that
    there *might* be cases you've overlooked (even with coverage testing
    tools such as Devel::Cover, you can't necesarily be sure you've tested
    all possible sources of tainted data), and leaving tainting on as a
    production app that halts with a taint failure, although not acceptable,
    is better than one which has a security hole.

    > I do *not* argue that it *should* be turned off, I am just curious to
    > know if there are situations after testing which could cause taint to
    > fail, for instance that it would object to the contents of input,
    > despite untainting?


    No, the only case is where some tainted data arrives from somewhere you
    weren't expecting and thus isn't untainted (or checked).

    Ben

    --
    Musica Dei donum optimi, trahit homines, trahit deos. |
    Musica truces molit animos, tristesque mentes erigit. |
    Musica vel ipsas arbores et horridas movet feras. |
    Ben Morrow, Jun 12, 2004
    #4
  5. kj

    kj Guest

    In <cadebt$d8u$> Ben Morrow <> writes:


    >Quoth kj <>:
    >>
    >> When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    >> This presents a problem to CGI scripts that want to run in taint
    >> mode but need libraries installed in directories not mentioned in
    >> the default value of @INC [1].
    >>
    >> Then again, is running under taint mode really necessary past the
    >> development and testing phase? In other words, is taint mode
    >> anything more than an additional check that the developer can make
    >> prior to releasing the code to make sure that there are no security
    >> gaps in the code, but once the code passes, taint mode can be safely
    >> turned off?


    >No.


    >> [1] I realize that I could add appropriate "use lib /path/to/my/libs"
    >> lines to the CGI scripts, but at installation time this is a royal
    >> pain, especially if many CGI scripts are involved, since every user
    >> installing this software would have to mung these lines in all its
    >> CGI scripts. At the very least, make would have to do the munging,
    >> which gives me the creeps; I'd prefer to find some other solution.


    >I am presuming you are looking for a solution you can write into new
    >scripts, rather than one which will work with existing ones?


    >At the start of each script, examine $ENV{PERL5LIB}, untaint it, check
    >that its value looks like a reasonable Perl library dir, etc., split it
    >on colons and 'use lib'.


    If that's all there is to it, then I don't see why Perl should
    disregard PERL5LIB when running under taint mode, instead of just
    doing what you say above, and using PERL5LIB as usual if it checks
    out.

    >You can (obviously) put all this in a module,
    >so you can just say something like


    >use MyApp::perl5Lib;


    >at the top of each individual script.


    Wouldn't this strategy fail precisely due to the problem it is
    trying to solve (how would Perl be able to load MyApp/Perl5Lib.pm
    unless it was already in a directory mentioned in the default @INC)?

    kj

    --
    NOTE: In my address everything before the period is backwards.
    kj, Jun 12, 2004
    #5
  6. kj

    Anno Siegel Guest

    Gunnar Strand <> wrote in comp.lang.perl.misc:
    > Ben Morrow wrote:
    > > Quoth kj <>:
    > >
    > >>When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    > >>This presents a problem to CGI scripts that want to run in taint
    > >>mode but need libraries installed in directories not mentioned in
    > >>the default value of @INC [1].
    > >>
    > >>Then again, is running under taint mode really necessary past the
    > >>development and testing phase? In other words, is taint mode
    > >>anything more than an additional check that the developer can make
    > >>prior to releasing the code to make sure that there are no security
    > >>gaps in the code, but once the code passes, taint mode can be safely
    > >>turned off?

    > >
    > >
    > > No.

    >
    > That is interesting. According to the Perl taint faq i found
    > (http://gunther.web66.com/FAQS/taintmode.html):
    >
    > Run-time checking means that you need to test all logical paths of
    > execution your script might take so that "legal operations" do not
    > get halted because of taint mode.
    >
    > I get the impression that if the testing is thorough enough, taint
    > mode could be turned off for release code. I do *not* argue that
    > it *should* be turned off, I am just curious to know if there are
    > situations after testing which could cause taint to fail, for
    > instance that it would object to the contents of input, despite
    > untainting?


    Well, for one, there is more than tainted data that may make a taint
    test fail. If $ENV{ PATH} points to something that is writable by
    anyone but its owner, you can launder the string all day but "system"
    and friends will fail in taint mode. That is one test that can only
    be done at run time, there are certainly more.

    But even if without run time tests, for a complete cover of all cases
    you'd have to determine the set of all variables in your program
    whose taintedness may matter (including parts of %ENV) and check the
    behavior for every combination of tainted/untainted there is.
    A look at the long section (in perlsec) that lists which Perl functions
    may be taint-sensitive and in which way is discouraging.

    So, taint mode must stay on in production, for fundamental and
    practical reasons.

    Anno
    Anno Siegel, Jun 12, 2004
    #6
  7. kj

    J Krugman Guest

    In <caf3h3$gp8$-Berlin.DE> -berlin.de (Anno Siegel) writes:

    >Gunnar Strand <> wrote in comp.lang.perl.misc:
    >> Ben Morrow wrote:
    >> > Quoth kj <>:
    >> >
    >> >>When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    >> >>This presents a problem to CGI scripts that want to run in taint
    >> >>mode but need libraries installed in directories not mentioned in
    >> >>the default value of @INC [1].
    >> >>
    >> >>Then again, is running under taint mode really necessary past the
    >> >>development and testing phase? In other words, is taint mode
    >> >>anything more than an additional check that the developer can make
    >> >>prior to releasing the code to make sure that there are no security
    >> >>gaps in the code, but once the code passes, taint mode can be safely
    >> >>turned off?
    >> >
    >> >
    >> > No.

    >>
    >> That is interesting. According to the Perl taint faq i found
    >> (http://gunther.web66.com/FAQS/taintmode.html):
    >>
    >> Run-time checking means that you need to test all logical paths of
    >> execution your script might take so that "legal operations" do not
    >> get halted because of taint mode.
    >>
    >> I get the impression that if the testing is thorough enough, taint
    >> mode could be turned off for release code. I do *not* argue that
    >> it *should* be turned off, I am just curious to know if there are
    >> situations after testing which could cause taint to fail, for
    >> instance that it would object to the contents of input, despite
    >> untainting?


    >Well, for one, there is more than tainted data that may make a taint
    >test fail. If $ENV{ PATH} points to something that is writable by
    >anyone but its owner, you can launder the string all day but "system"
    >and friends will fail in taint mode. That is one test that can only
    >be done at run time, there are certainly more.


    >But even if without run time tests, for a complete cover of all cases
    >you'd have to determine the set of all variables in your program
    >whose taintedness may matter (including parts of %ENV) and check the
    >behavior for every combination of tainted/untainted there is.
    >A look at the long section (in perlsec) that lists which Perl functions
    >may be taint-sensitive and in which way is discouraging.


    >So, taint mode must stay on in production, for fundamental and
    >practical reasons.


    Still it is not clear to me why Perl doesn't offer a builtin function
    or a standard module to untaint PERL5LIB. I found an interesting
    and not too ancient thread on this at http://tinyurl.com/yr4vs .
    There is a module called perl5lib in CPAN that does the job, but
    I think it should be part of the distribution. (BTW, is there a
    standard channel for requesting adding a feature to future releases
    of Perl?)

    jill

    --
    To s&e^n]d me m~a}i]l r%e*m?o\v[e bit from my a|d)d:r{e:s]s.
    J Krugman, Jun 12, 2004
    #7
  8. kj <> writes:

    > When running under taint mode (-T switch), $ENV{PERL5LIB} is ignored.
    > This presents a problem to CGI scripts that want to run in taint
    > mode but need libraries installed in directories not mentioned in
    > the default value of @INC [1].


    If you can configure your web server to ignore the #! line in the CGI
    scripts and envoke them via an explicit perl command line then you can
    put -I switches in that command line.

    If you can't do that see the module "perl5lib" on CPAN.

    > Then again, is running under taint mode really necessary past the
    > development and testing phase?


    Yes, it is probably wise.

    --
    \\ ( )
    . _\\__[oo
    .__/ \\ /\@
    . l___\\
    # ll l\\
    ###LL LL\\
    Brian McCauley, Jun 14, 2004
    #8
  9. kj

    Ben Morrow Guest

    Quoth J Krugman <>:
    >
    > Still it is not clear to me why Perl doesn't offer a builtin function
    > or a standard module to untaint PERL5LIB.


    Builtin??? Come off it... that's way too specific :). Look at
    Scalar::Util: those are things that *failed* to become builtins.

    A standard module is a possibility, but the usage would not be high.
    Apart from anything else, the conditions under which a given value of
    PERL5LIB is safe vary hugely from situation to situation. OTOH it is a
    tiny module, and it might make people's lives easier on webhosts who'll
    only install the standard distro.

    > There is a module called perl5lib in CPAN that does the job, but
    > I think it should be part of the distribution. (BTW, is there a
    > standard channel for requesting adding a feature to future releases
    > of Perl?)




    Ben

    --
    I must not fear. Fear is the mind-killer. I will face my fear and
    I will let it pass through me. When the fear is gone there will be
    nothing. Only I will remain.
    Frank Herbert, 'Dune'
    Ben Morrow, Jun 14, 2004
    #9
  10. kj

    Ben Morrow Guest

    Quoth kj <>:
    > In <cadebt$d8u$> Ben Morrow <> writes:
    >
    > >At the start of each script, examine $ENV{PERL5LIB}, untaint it, check
    > >that its value looks like a reasonable Perl library dir, etc., split it
    > >on colons and 'use lib'.

    >
    > If that's all there is to it, then I don't see why Perl should
    > disregard PERL5LIB when running under taint mode, instead of just
    > doing what you say above, and using PERL5LIB as usual if it checks
    > out.


    *THINK*. How can Perl possibly know what is safe and what isn't? It
    depends entirely on the situation. That's the whole point of taint mode:
    perl forces you to check things are safe, because it can't check for
    you.

    Ben

    --
    Joy and Woe are woven fine,
    A Clothing for the Soul divine William Blake
    Under every grief and pine 'Auguries of Innocence'
    Runs a joy with silken twine.
    Ben Morrow, Jun 14, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Johann C. Rocholl

    Taint (like in Perl) as a Python module: taint.py

    Johann C. Rocholl, Feb 5, 2007, in forum: Python
    Replies:
    5
    Views:
    462
    Johann C. Rocholl
    Feb 6, 2007
  2. Louis Erickson
    Replies:
    2
    Views:
    196
    James Willmore
    Sep 3, 2003
  3. Ben
    Replies:
    17
    Views:
    217
  4. Dave Saville

    Find::File and taint mode

    Dave Saville, Nov 18, 2003, in forum: Perl Misc
    Replies:
    5
    Views:
    125
    Ben Morrow
    Nov 18, 2003
  5. Asterbing

    taint mode and require using "."

    Asterbing, Apr 5, 2006, in forum: Perl Misc
    Replies:
    9
    Views:
    180
    robic0
    Apr 10, 2006
Loading...

Share This Page