Taint mode piped open problem

[Rohit]

Hello All,

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");
while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

If I replace $processID to any process id like 250, it works fine.

open(PSDATA, "/bin/ps -wwwp 250 |");

I will appreciate any solution for this problem.

Thanks,
Rohit

 

[Gunnar Hjalmarsson]

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");
while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

If I replace $processID to any process id like 250, it works fine.

You need to untaint $processID.

($processID) = $processID =~ /^(\d+)$/;

Please read more about the topic in "perldoc perlsec".

 

[Rohit]

Thank you very much Gunnar! It works fine now.
And thanks for routing me to proper doc.

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");
while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

If I replace $processID to any process id like 250, it works fine.

You need to untaint $processID.

($processID) = $processID =~ /^(\d+)$/;

Please read more about the topic in "perldoc perlsec".

 

[Ben Morrow]

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

Do you have

use warnings;
use strict;

at the top of your script? This probably needs to be

my $processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");

Check the return value of open.
Use three-or-more arg open, *especially* in scripts where security is an
issue.
Use lexical filehandles.

open(my $PSDATA, '-|', '/bin/ps', '-wwwp', $processID)
or die "can't fork ps: $!";

while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

@ARGV is tainted, since it comes from outside your program. This means
$processID is tainted as well, so you can't pass it directly to ps
without checking it first. With your script as it stood (1-arg open),
someone could have passed an argument of '1; rm -rf /' and caused
serious trouble. With multi-arg open this is not possible, but for all
Perl knows there could be other problems with passing arbitrary data to
ps.

There are two possible solutions: preferable would be to use a module
like Proc:rocessTable rather than parsing the output of ps(1);
alternatively, you need to untaint $ARGV[0] by extracting data from a
pattern match. Something like

my ($processID) = ($ARGV[0] =~ /^(\d+)$/)
or die "invalid pid: $ARGV[0]";

Read perldoc perlsec, and note that you will also (if you aren't
already) need to explicitly set $ENV{PATH} before taint mode will let
you run anything at all.

If I replace $processID to any process id like 250, it works fine.

open(PSDATA, "/bin/ps -wwwp 250 |");

This is because a literal constant like '250' is not from outside your
program, so it isn't tainted. (I guess this means you are already
setting $PATH.)

Ben

 

[Rohit]

Hi Ben,

Thanks for this great lesson. Using this I will be able to prevent
other problems too in future.

Again thanks a lot!

~Rohit

Quoth Rohit <[email protected]>:

I am writing perl script with taint mode. In which I have to parse PS
command output using command line argument process ID. The problem is
when I store this process id in any variable, by using this variable I
am getting error.

$processID = $ARGV[0];

Do you have

use warnings;
use strict;

at the top of your script? This probably needs to be

my $processID = $ARGV[0];

open(PSDATA, "/bin/ps -wwwp $processID |");

Check the return value of open.
Use three-or-more arg open, *especially* in scripts where security is an
issue.
Use lexical filehandles.

open(my $PSDATA, '-|', '/bin/ps', '-wwwp', $processID)
or die "can't fork ps: $!";

while (<PSDATA>) {
print scalar <PSDATA>;
}
close PSDATA;

I am getting this taint checking error -> "Insecure dependency in
piped open while running with -T switch at GetWidget.pl line 24."

@ARGV is tainted, since it comes from outside your program. This means
$processID is tainted as well, so you can't pass it directly to ps
without checking it first. With your script as it stood (1-arg open),
someone could have passed an argument of '1; rm -rf /' and caused
serious trouble. With multi-arg open this is not possible, but for all
Perl knows there could be other problems with passing arbitrary data to
ps.

There are two possible solutions: preferable would be to use a module
like Proc:rocessTable rather than parsing the output of ps(1);
alternatively, you need to untaint $ARGV[0] by extracting data from a
pattern match. Something like

my ($processID) = ($ARGV[0] =~ /^(\d+)$/)
or die "invalid pid: $ARGV[0]";

Read perldoc perlsec, and note that you will also (if you aren't
already) need to explicitly set $ENV{PATH} before taint mode will let
you run anything at all.

If I replace $processID to any process id like 250, it works fine.

open(PSDATA, "/bin/ps -wwwp 250 |");

This is because a literal constant like '250' is not from outside your
program, so it isn't tainted. (I guess this means you are already
setting $PATH.)

Ben