Is Perl's taint mode useful?
Asked Answered
D

6

28
perl -T

Do you use it? Does it help you finding security holes in your Perl scripts?

Drawstring answered 9/2, 2010 at 10:56 Comment(0)
Z
32

More than that :) it stops your security issues before they become one. It is not a security silver bullet of course... we used to use it (a few years back when I was involved in Perl projects) in any script that was exposed externally (i.e. any mod_perl app) and we found it very useful and made it our policy. It does a few checks and it is handy.. (anything makes things automated)

Perl Security - perlsec recommends it strongly too:

This flag [Taint mode] is strongly suggested for server programs and any program run on behalf of someone else, such as a CGI script. Once taint mode is on, it's on for the remainder of your script.

Zsazsa answered 9/2, 2010 at 11:10 Comment(3)
Taint mode is a developer tool. It doesn't stop or prevent security issues. It shows you where you have problems, but it relies on you to handle them properly.Spermatid
It's not misleading at all. Taint checking does not increase your security one bit. I'm not saying not to use it. Just don't think it's going to protect you. It merely shows you where you should consider protection. I've seen plenty of "taint-safe" programs that still had the same old security problems of unvalidated inputs.Spermatid
@briandfoy ... via the infamous $safe = $1 if $unsafe =~ /(.*)/Greenlee
J
19

Most definitely!

$ echo '`rm -rf /`' | perl -Te 'eval while <>'
Insecure dependency in eval while running with -T switch at -e line 1, <> line 1.
Jeromyjerreed answered 9/2, 2010 at 14:31 Comment(3)
Hah. You're brave if you actually ran that. I've probably spend 3 hours before hitting the enter key to make sure -T was in my perl command.Manteltree
Maybe he ran it as user nobodyHourihan
Wouldn't have done anything anyway, man rm : --no-preserve-root : do not treat '/' specially Amadoamador
S
14

The "Secure Programming Techniques" chapter of Mastering Perl is almost completely devoted to taint checking and how you should use it.

Many people will tell you it protects you, but they subtly lie about that. It's a developer tool that helps you find some (only some) spots in your code where you need to be careful. It's not going to solve all of your security problems.

Spermatid answered 9/2, 2010 at 20:23 Comment(0)
H
9

I think taint mode would work best when new code is being developed that everyone is familiar with.

If you have someone else's code that is poorly written, and you run it in Taint mode -- perl will die rather than perform what by the tainting rules are 'unsafe' operations.

In taint mode perl some holes are patched but not all. system("$unfiltered_user_input") will die but Perl could still write $unfiltered_user_input data to a file with a fixed name (because printing tainted data is considered 'safe') and then execute that file with system(). But nothing can check everything.

There's a tradeoff there for using it on legacy apps. When Perl finds an unsafe operation on tainted data it will die -- which means someone must go in and decide what it means to untaint the data, what regexp are needed, before the application will be reliable again.

Some people would prefer insecure, reliable, low cost (for now) to -- secure, broken, need to find the developers. Not that thats good in the long run... but it is not unusual.

Hourihan answered 9/2, 2010 at 14:38 Comment(2)
That example of running system() on a file containing data obtained from a user is a good one.Allogamy
There are also taint warnings (-t). They warn about the same things but they don't stop your program. Start with those for legacy programs.Spermatid
D
4

Yes, taint mode is useful for all the reasons mentioned above.

One place that you may not consider tainted data is when interacting with a database. Fortunately, DBI has support for stopping tainted data from getting into your database, and it treats data coming from your database as being tainted so that you can't do anything unsafe with it. You have to specifically turn on the options for this; they're off by default. See the DBI docs for more.

Descendant answered 25/11, 2013 at 14:49 Comment(0)
E
-3

Oh, gods, no. Taint mode should have been yanked from Perl 15-20 years ago. It prevents nothing as you cannot possibly validate the response of certain commands. It gets people to believe they're secure, but all they do is /(.*)/. It breaks nearly everything on Windows (even being able to get an accurate temporary directory). DO NOT USE TAINT

Eschar answered 17/8, 2020 at 14:35 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.