Web lists-archives.com

Re: Potentially insecure Perl scripts




[resent with group-reply, sorry]

On 2019-01-25 10:36:42 +0000, Dominic Hargreaves wrote:
> Also, I think it's worth trying to identify what the worst extent
> of the issue is. Whilst I don't agree with some who say that this isn't
> a security issue at all, I don't know of any real-world cases where
> it would be exploitable for remote code execution.

Probably not directly, but if the user doesn't check the filenames,
this can obviously occur. Those using "wget -r" should be very
careful with this. I had a Perl script working on such a "wget -r"
result. Fortunately it was just a Perl script that did all the work,
and it was using the 3-arg open on the files, so that it wasn't
vulnerable.

There is a potential exploit if the user calls a vulnerable script
on files obtained with "wget -r".

> If someone would like to contradict me, please feel free to mail
> off-list. Either way, the fact remains that if untrusted/unsanitised
> input is being passed into your @ARGV, then something is already
> wrong.

I recall that a part of the issue is that this wasn't documented
(in addition to being unintuitive). As pure filenames, they are
already sanitized: a filename that ends with "|" is perfectly
valid.

-- 
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)