[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl] taint checks and CGI.pm

To: "MacPerl List" <mac-perl@iis.ee.ethz.ch>
Subject: Re: [MacPerl] taint checks and CGI.pm
From: Karsten Meier <krstnmr@ibm.net>
Date: Sun, 28 Dec 97 19:55:16 +0100

more problems with taint check:

In the blue camel book (page 358) there is a function
to see if a variable is tainted:

sub is_tainted {
  not eval {
     join("",@_), kill 0;
     1;
  }
}
this returns true all the time, I think because
kill is not implemented like on UNIX, and returns false.
the book states it "...make use of the obscure fact that kill function 
tests for taintedness, even when no process ID are supplied..."

I think obscure facts should not be used for programming,
especially if we are talking about security.
There should be another way to check if a variable is tainted.
Maybe this should solved in the orginal perl.
I would also like to have such a function in the debugger.

Sidebar: the debugger is also not working with taint checks on,
because of the @INC path.  

UNIX and MacOS are different, so UNIX security flaw may not 
be present in the MacOS.
But I see the following problem: If I'm on an appletalk network,
and I have a public visible folder, someone can upload a MacPerl
executable together with a special modified version 
of a Module like cgi.pm. If I now open my script with doubleclicking,
the new version of MacPerl may start, because the Finder
starts the newest version of anything, and uses the bad module.

On UNIX, Perls taintchecks checks if the PATH directorys are only 
writeable
to the owners and owners group. Maybe on the Mac, taint check should check
if the MacPerl Preferences and MacPerl itself and the pathes from
@INC are only writeable to the owner and the group, 
and should set $ENV{MACPERL} and @INC as untainted.

Does anybody know any resources about security on the Mac?
I have just do some research about security, but most resources
are about UNIX and some about Windows and Windows NT.

regards

Kasrten Meier


---------------------------------------------------------------------
Karsten Meier
EMail krstnmr@ibm.net
WWW: http://www.meier-online.com with following highlights:
 * German MacPerl Primer * XTensions for use with QuarkXPress 
Unsolicited and/or commercial email is not permitted at this address.



***** Want to unsubscribe from this list?
***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch

Follow-Ups:
- Re: [MacPerl] taint checks and CGI.pm
  - From: John W Baxter <jwblist@olympus.net>

Prev by Date: Re: [MacPerl] taint checks and CGI.pm
Next by Date: Re: [MacPerl] network problems
Prev by thread: Re: [MacPerl] taint checks and CGI.pm
Next by thread: Re: [MacPerl] taint checks and CGI.pm
Navigation: Date Index | Thread Index | Search | Other lists at bumppo.net