Vulnerability Development mailing list archives
Re: execution inside of Perl reg ex?
From: Pascal Bouchareine <pb () T-ONLINE FR>
Date: Thu, 4 Jan 2001 18:08:46 +0100
well, i'm certainly wrong on some points but i came to the following
point of view (which i'd love you to clarify if i misunderstood some facts)
IMHO, perl first evals any special chars (backquotes and the like),
interprets your line, and once it knows exactly what to do with
your input line, expands scalars and variables. Thus, meta-characters
and backquotes are not interpreted, since the interpreter looked for them
before the $variable expansion. If your line is a function call, and this
functions has character conventions with special meanings (such as open()
and |, or (?{}) in a regexp for example), this gets dangerous.
Perl changed this, as Cypher stated, it would give :
Eval-group not allowed at runtime, use re 'eval' at ./test.pl line 12.
Another way to see this point is evaluated code. If you happen to feed a
script interpreter with user input (such as ``/system() or eval(), which is a
perl interpreter inside the perl interpreter), then it gets dangerous.
Another last point may be twice-evaluated things. For example, with
double calls to uncgi(), where %250d is "magically" translated
to %0d.
So:
$n =~ /$user_input/
isn't sound dangerous yet (we didn't find any // bug, for now :), but
may be one day..
This is also true with script-shells in CGI:
#!/bin/sh
##
echo $INPUT_STRING
Isn't tricked with "first-layer (the shell)" meta-characters, since it
will look for them before expanding $INPUT_STRING, but could be if
the "second-layer (echo)" had special interpretation of some characters
or if a bug was discovered in echo.
User input should be trusted as much as you trust your scripting languages
and sub-layers : i choose not to trust it at all.
\Q \E is safe (for the moment) and is supplied as a "don't trust it" keyword
for perl. Sounds really better than nothing.
On Wed, Jan 03, 2001 at 10:34:18AM +0000, sporty o'one wrote:
this is exactly the reason for \Q\E so \Q$this\E is safeAs an operator, Perl will shell any command you put inside back quotes and return the result of the shelled command. I assume this would work inside a regular expression, but I haven't tried.
--
Kalou.
.ascii "T[fhBOfXf5B@f1ChjAX4APPZHf1Chfh/xh/tmpT[RSTYjOX4D2p"
Current thread:
- Re: execution inside of Perl reg ex? sporty o'one (Jan 04)
- Re: execution inside of Perl reg ex? Pascal Bouchareine (Jan 05)
- Re: execution inside of Perl reg ex? rpc (Jan 05)
- Re: execution inside of Perl reg ex? Pascal Bouchareine (Jan 05)