Taint mode piped open problem

Discussion in 'Perl Misc' started by Rohit, Jan 26, 2008.

  1. Rohit

    Rohit Guest

    Hello All,

    I am writing perl script with taint mode. In which I have to parse PS
    command output using command line argument process ID. The problem is
    when I store this process id in any variable, by using this variable I
    am getting error.

    $processID = $ARGV[0];

    open(PSDATA, "/bin/ps -wwwp $processID |");
    while (<PSDATA>) {
    print scalar <PSDATA>;
    }
    close PSDATA;

    I am getting this taint checking error -> "Insecure dependency in
    piped open while running with -T switch at GetWidget.pl line 24."

    If I replace $processID to any process id like 250, it works fine.

    open(PSDATA, "/bin/ps -wwwp 250 |");

    I will appreciate any solution for this problem.

    Thanks,
    Rohit
     
    Rohit, Jan 26, 2008
    #1
    1. Advertising

  2. Rohit wrote:
    > I am writing perl script with taint mode. In which I have to parse PS
    > command output using command line argument process ID. The problem is
    > when I store this process id in any variable, by using this variable I
    > am getting error.
    >
    > $processID = $ARGV[0];
    >
    > open(PSDATA, "/bin/ps -wwwp $processID |");
    > while (<PSDATA>) {
    > print scalar <PSDATA>;
    > }
    > close PSDATA;
    >
    > I am getting this taint checking error -> "Insecure dependency in
    > piped open while running with -T switch at GetWidget.pl line 24."
    >
    > If I replace $processID to any process id like 250, it works fine.


    You need to untaint $processID.

    ($processID) = $processID =~ /^(\d+)$/;

    Please read more about the topic in "perldoc perlsec".

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
     
    Gunnar Hjalmarsson, Jan 26, 2008
    #2
    1. Advertising

  3. Rohit

    Rohit Guest

    Thank you very much Gunnar! It works fine now.
    And thanks for routing me to proper doc.

    On Jan 26, 3:13 pm, Gunnar Hjalmarsson <> wrote:
    > Rohit wrote:
    > > I am writing perl script with taint mode. In which I have to parse PS
    > > command output using command line argument process ID. The problem is
    > > when I store this process id in any variable, by using this variable I
    > > am getting error.

    >
    > > $processID = $ARGV[0];

    >
    > > open(PSDATA, "/bin/ps -wwwp $processID |");
    > > while (<PSDATA>) {
    > > print scalar <PSDATA>;
    > > }
    > > close PSDATA;

    >
    > > I am getting this taint checking error -> "Insecure dependency in
    > > piped open while running with -T switch at GetWidget.pl line 24."

    >
    > > If I replace $processID to any process id like 250, it works fine.

    >
    > You need to untaint $processID.
    >
    > ($processID) = $processID =~ /^(\d+)$/;
    >
    > Please read more about the topic in "perldoc perlsec".
    >
    > --
    > Gunnar Hjalmarsson
    > Email:http://www.gunnar.cc/cgi-bin/contact.pl
     
    Rohit, Jan 26, 2008
    #3
  4. Rohit

    Ben Morrow Guest

    Quoth Rohit <>:
    >
    > I am writing perl script with taint mode. In which I have to parse PS
    > command output using command line argument process ID. The problem is
    > when I store this process id in any variable, by using this variable I
    > am getting error.
    >
    > $processID = $ARGV[0];


    Do you have

    use warnings;
    use strict;

    at the top of your script? This probably needs to be

    my $processID = $ARGV[0];

    > open(PSDATA, "/bin/ps -wwwp $processID |");


    Check the return value of open.
    Use three-or-more arg open, *especially* in scripts where security is an
    issue.
    Use lexical filehandles.

    open(my $PSDATA, '-|', '/bin/ps', '-wwwp', $processID)
    or die "can't fork ps: $!";

    > while (<PSDATA>) {
    > print scalar <PSDATA>;
    > }
    > close PSDATA;
    >
    > I am getting this taint checking error -> "Insecure dependency in
    > piped open while running with -T switch at GetWidget.pl line 24."


    @ARGV is tainted, since it comes from outside your program. This means
    $processID is tainted as well, so you can't pass it directly to ps
    without checking it first. With your script as it stood (1-arg open),
    someone could have passed an argument of '1; rm -rf /' and caused
    serious trouble. With multi-arg open this is not possible, but for all
    Perl knows there could be other problems with passing arbitrary data to
    ps.

    There are two possible solutions: preferable would be to use a module
    like Proc::processTable rather than parsing the output of ps(1);
    alternatively, you need to untaint $ARGV[0] by extracting data from a
    pattern match. Something like

    my ($processID) = ($ARGV[0] =~ /^(\d+)$/)
    or die "invalid pid: $ARGV[0]";

    Read perldoc perlsec, and note that you will also (if you aren't
    already) need to explicitly set $ENV{PATH} before taint mode will let
    you run anything at all.

    > If I replace $processID to any process id like 250, it works fine.
    >
    > open(PSDATA, "/bin/ps -wwwp 250 |");


    This is because a literal constant like '250' is not from outside your
    program, so it isn't tainted. (I guess this means you are already
    setting $PATH.)

    Ben
     
    Ben Morrow, Jan 26, 2008
    #4
  5. Rohit

    Rohit Guest

    Hi Ben,

    Thanks for this great lesson. Using this I will be able to prevent
    other problems too in future.

    Again thanks a lot!

    ~Rohit

    On Jan 26, 3:26 pm, Ben Morrow <> wrote:
    > Quoth Rohit <>:
    >
    >
    >
    > > I am writing perl script with taint mode. In which I have to parse PS
    > > command output using command line argument process ID. The problem is
    > > when I store this process id in any variable, by using this variable I
    > > am getting error.

    >
    > > $processID = $ARGV[0];

    >
    > Do you have
    >
    > use warnings;
    > use strict;
    >
    > at the top of your script? This probably needs to be
    >
    > my $processID = $ARGV[0];
    >
    > > open(PSDATA, "/bin/ps -wwwp $processID |");

    >
    > Check the return value of open.
    > Use three-or-more arg open, *especially* in scripts where security is an
    > issue.
    > Use lexical filehandles.
    >
    > open(my $PSDATA, '-|', '/bin/ps', '-wwwp', $processID)
    > or die "can't fork ps: $!";
    >
    > > while (<PSDATA>) {
    > > print scalar <PSDATA>;
    > > }
    > > close PSDATA;

    >
    > > I am getting this taint checking error -> "Insecure dependency in
    > > piped open while running with -T switch at GetWidget.pl line 24."

    >
    > @ARGV is tainted, since it comes from outside your program. This means
    > $processID is tainted as well, so you can't pass it directly to ps
    > without checking it first. With your script as it stood (1-arg open),
    > someone could have passed an argument of '1; rm -rf /' and caused
    > serious trouble. With multi-arg open this is not possible, but for all
    > Perl knows there could be other problems with passing arbitrary data to
    > ps.
    >
    > There are two possible solutions: preferable would be to use a module
    > like Proc::processTable rather than parsing the output of ps(1);
    > alternatively, you need to untaint $ARGV[0] by extracting data from a
    > pattern match. Something like
    >
    > my ($processID) = ($ARGV[0] =~ /^(\d+)$/)
    > or die "invalid pid: $ARGV[0]";
    >
    > Read perldoc perlsec, and note that you will also (if you aren't
    > already) need to explicitly set $ENV{PATH} before taint mode will let
    > you run anything at all.
    >
    > > If I replace $processID to any process id like 250, it works fine.

    >
    > > open(PSDATA, "/bin/ps -wwwp 250 |");

    >
    > This is because a literal constant like '250' is not from outside your
    > program, so it isn't tainted. (I guess this means you are already
    > setting $PATH.)
    >
    > Ben
     
    Rohit, Jan 27, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Johann C. Rocholl

    Taint (like in Perl) as a Python module: taint.py

    Johann C. Rocholl, Feb 5, 2007, in forum: Python
    Replies:
    5
    Views:
    478
    Johann C. Rocholl
    Feb 6, 2007
  2. sekdab

    Taint Mode Newbie Help

    sekdab, Jul 19, 2003, in forum: Perl Misc
    Replies:
    2
    Views:
    136
    sekdab
    Jul 19, 2003
  3. Louis Erickson
    Replies:
    2
    Views:
    215
    James Willmore
    Sep 3, 2003
  4. Ben
    Replies:
    17
    Views:
    239
  5. Dave Saville

    Find::File and taint mode

    Dave Saville, Nov 18, 2003, in forum: Perl Misc
    Replies:
    5
    Views:
    136
    Ben Morrow
    Nov 18, 2003
Loading...

Share This Page