Re: magic open of ARGV

[p5pRT]

Migrated from rt.perl.org#2850 (status was 'resolved')

Searchable as RT2850$

[p5pRT]

From thospel@mail.dma.be

In article \E12VVJx\-0006xp\-00@​ursa\.cus\.cam\.ac\.uk\,   "M.J.T. Guy" \mjtg@​cus\.cam\.ac\.uk writes​:

thospel@​mail.dma.be (Ton Hospel) wrote

In fact\, there was a little known third proposal by yours truly (hi !)​: Turn of magic \<> if the perl command line contains an explicit -- Otherwise you are still hacked. Observe​:

mkdir /tmp/a cd /tmp/a echo > '-e;print("Bwahaha\n")' echo foo > bar perl -wne '' *

Will also give you the dreaded​: Bwahaha

That's a nasty one\, but it's quite different from the "magic open" problem. In this case\, there is no magic open. And it's a shell problem which Perl can do nothing about - how can Perl tell whether it's arguments come from a glob expansion or not?

Hmmm... perhaps it can guess. Suppose we put a test in the perl argument processing "does a file of this name exist?" analogous to the one in Tom's proposed patch. What genuine usage would that bite?

That's because you are not thinking sufficiently evil. Now if the perl administrator has e.g. a /tmp cleanup script that uses * expansion\, you can now create a file in /tmp with a name like a program option and the cleanup script will NOT run. You can use it as a denial of service against a perfectly working and safe program.

So\, since a security aware person has to do

perl -wne '' -- *

anyways\, let that remove the magicness

Your logic seems to be back-to-front. We're trying to save the security unaware from themselves. So we need to turn off magicness

It is back to front because that's not the problem I'm trying to solve. There are in fact TWO things that need to be solved​:

1) A programmer who knows what he is doing should be able to write   a secure program that uses * expansion. That's the one I was addressing

2) A naive use should not be surprised by unexpected magic   That's the one you try to solve. I'd like to see it solved too\,   but for the moment I think it can't be done\, so I want at least   option 1).

  Notice that I like the idea of Tom's proposal\, but it's flawed since it   has an intrinsic race condition\, in that the file test for the   decision of magic open happens before the open itself. So make sure   the magic file does not exist when the * expansion happens\, does not exist   when the magic test is done\, and exists again when finally the magic   is executed. Using classical tricks with symlinks and fifo's you can make   this race as big as you want.

  So Tom's proposal gives only mock security\, and I currently see no way to   save it. -- "If I cannot use the users as playthings\, I don't really see too much purpose in having them on my systems." -Chris Magagna (chris#uidaho.edu)