PERLSEC 7
目录
PERLSEC
NAMEDESCRIPTION æè¿°
SEE ALSO åè§
ä¸æçç»´æ¤äºº
ä¸æçææ°æ´æ°
ä¸ææå页翻è¯è®¡å
NAME
perlsec - Perl å®å¨
DESCRIPTION æè¿°
Perlå¯ä»¥è½»æ¾ååºå®å¨çç¨åºï¼å³ä½¿è¿è¡æ¶æç¹æ®æéï¼æ¯å¦setuidæsetgidç¨åºã许å¤èæ¬çå½ä»¤è¡éæå¤é¡¹æ¿æ¢è¯- å¥ï¼Perlå´ä¸æ¯è¿æ ·ï¼å®ä½¿ç¨æ´å¤ä¼ ç»æ¹æ³èå°æè°æ·±ãèä¸ï¼ç±äºperlè¯- è¨ææ´å¤åå¨åè½ï¼å®å¯ä»¥æ´å°çä¾èµäºå¶ä»ï¼å¯è½ä¸å¯ä¿¡çï¼ç¨åºæ¥å®ææ ¹æ¬ç®çã
å½Perlæ£æµå°ç¨åºä¸- çå®çç¨æ·æç»IDä¸ææç¨æ·æç»IDä¸åæ¶ï¼å®èªå¨å°å¼å¯ä¸ç§å«åâ污æ模å¼âç¹æ®çå®å¨æ§æ£æµãsetuidçunixçæéä½æ¯04000ï¼setgid çUNIXæéä½æ¯02000ï¼å®ä»¬é½æå¯è½è¢«è®¾ç½®ãä½ ä¹å¯ä»¥ç¨å½ä»¤è¡æ è¯ -T æç¡®å°å¼å¯â污æ模å¼âã强ç建议æå¡å¨ç¨åºæèå¨ä»¥å¶ä»äººèº«ä»½è¿è¡çç¨åºï¼æ¯å¦CGIèæ¬ï¼ä½¿ç¨æ- ¤æ è¯ç¬¦ãä¸æ¦æ±¡æ模å¼è¢«æå¼ï¼å®å¨èæ¬çä½ä¸å容ä¸ä¸ç´å¼å¯ã
å¨â污æ模å¼âä¸ï¼Perl使ç¨å«åâ污ææ£æµâçç¹æ®é¢é²æ¹æ³æ¥é²æ- ¢ææ¾çåä¸æ被å¯è§çé·é±ãä¸äºæ£æµç¸å½ç®åï¼å¦æ£æ¥è·¯å¾ç®å½ä»¥ç¡®å®å®ä»¬å¯¹å¶ä»äººæ¯ä¸å¯åçï¼å°å¿çç¨åºåä¸ååæ- ¤ç±»æ£æµãå¶ä»çæ£æµå·²ç»å¾å°Perlæ¬èº«æ好çæ¯æï¼è¿äºæ£æµå°¤å¶ä½¿åä¸ä¸ªset-idçPerlç¨åºæ¯ç¸åºçCç¨åºæ´å®å¨ã
ä½ä¸å¯ä»¥ä½¿ç¨æ¥èªç¨åºä¹å¤çæ°æ®æ¥å½±åç¨åºä¹å¤çäºæââè³å°ä¸æ¯å¶ç¶çãææå½ä»¤è¡åæ°ï¼ç¯å¢åéï¼æ¬å°ä¿¡æ¯ï¼åè§perllocaleï¼ï¼ç¹å®ç³»ç»è°ç¨çç»æï¼readdir(),readlink(),shmread()çåé,msgrcv()çè¿åä¿¡æ¯,getpwxxx()è°ç¨è¿åçå¯çãgcosåshellåï¼åæææ件è¾å¥é½è¢«æè®°æâ污æçâãâ污æçâæ°æ®æ¢ä¸å¯ä»¥ç´æ¥æé´æ¥å¨ä»»ä½è°ç¨ä¸ä¸ªå- shellå½ä»¤ä¸ä½¿ç¨ï¼ä¹ä¸è½å¨ä»»ä½ä¿®æ¹æ件ãç®å½æè¿ç¨çå½ä»¤ä¸- 使ç¨ï¼ä½æ以ä¸ä¾å¤ï¼
|
• |
printåsyswriteçåæ°ä¸è¢«æ£æ¥æ¯å¦è¢«æ±¡æã |
|||
|
• |
符å·æ¹æ³ |
$obj->$method(@args);
以å符å·çåå¼ç¨
&{$foo}(@args);
$foo->(@args);
ä¸ä¼è¢«æ£æ¥æ¯å¦è¢«æ±¡æãè¿è¦æ±é¢å¤çå°å¿ï¼é¤éä½å¸æå¤é¨æ°æ®å½±åä½çæ§å¶æµãé¤éä½å°å¿å°éå¶è¿äºç¬¦å·å¼æ¯ä»ä¹ï¼äººä»¬å¯ä»¥ä» Perl 代ç å¤é¨è°ç¨å½æ°ï¼ç±»ä¼¼ POSIX::systemï¼æ¥è¿è¡ä»»æå¤é¨ä»£ç ã
为äºæçåå ï¼Perl 对æ°æ®æ¯å¦å·²è¢«æ±¡ææä¿å®ççæ³ãå¦æä¸ä¸ªè¡¨è¾¾å¼åå«æ±¡æçæ°æ®ï¼ä»»ä½å- 表达å¼é½è¢«è®¤ä¸ºæ±¡æçï¼å³ä½¿èªè¡¨è¾¾å¼çå¼ä¸æ±¡æçæ°æ®æ å³
ç±äºæ±¡æä¸æ¯ä¸ªæéå¼ç¸å³ï¼ä¸ä¸ªæ°ç»ææ£åçåç´å¯ä»¥åªæä¸é¨å被污æãæ£åçé®æ°¸è¿ä¸ä¼è¢«æ±¡æã
ä¾å¦ï¼
$arg = shift; #
$arg æ¯æ±¡æç
$hid = $arg, ’bar’; # $hid
ä¹æ¯æ±¡æç
$line = <>; # 污æç
$line = <STDIN>; #
ä»æ§æ¯æ±¡æç
open FOO, "/home/me/bar" or die $!;
$line = <FOO>; #
è¿æ¯æ±¡æç
$path = $ENV{’PATH’}; #
污æç,
ä½æ¯è¯·çä¸é¢
$data = ’abc’; #
é污æç
system
"echo $arg"; #
ä¸å®å¨ç
system "/bin/echo", $arg; #
认为ä¸å®å¨
# (Perl ä¸ç¥é /bin/echo)
system "echo $hid"; #
ä¸å®å¨ç
system "echo $data"; #
å¦æPATH被设å®ï¼é£ä¹ææ¯å®å¨ç
$path = $ENV{’PATH’}; # $path ç°å¨æ¯æ±¡æç
$ENV{’PATH’}
= ’/bin:/usr/bin’;
delete @ENV{’IFS’, ’CDPATH’,
’ENV’, ’BASH_ENV’};
$path =
$ENV{’PATH’}; # $path
ç°å¨ä¸æ¯æ±¡æç
system "echo $data"; #
ç°å¨æ¯å®å¨ç!
open(FOO,
"< $arg"); # OK -
åªè¯»æ件
open(FOO, "> $arg"); # Not OK -
è¯å¾å»å
open(FOO,"echo
$arg⎪"); # Not OK
open(FOO,"-⎪")
or exec ’echo’, $arg; #
åæ · not OK
$shout = ‘echo $arg‘; # ä¸å®å¨ç, $shout ç°å¨æ¯æ±¡æç
unlink $data,
$arg; # ä¸å®å¨ç
umask $arg; #
ä¸å®å¨ç
exec "echo
$arg"; # ä¸å®å¨ç
exec "echo", $arg; #
ä¸å®å¨ç
exec "sh", ’-c’, $arg; #
é常ä¸å®å¨ï¼
@files =
<*.c>; # ä¸å®å¨ç
(ä½¿ç¨ readdir()
æå¶ä»)
@files = glob(’*.c’); #
ä¸å®å¨ç
(ä½¿ç¨ readdir()
æå¶ä»)
# In Perl
releases older than 5.6.0 the <*.c> and
glob(’*.c’) would
# have used an external program to do the filename
expansion; but in
# either case the result is tainted since the list of
filenames comes
# from outside of the program.
$bad = ($arg,
23); # $bad will be tainted
$arg, ‘true‘; # Insecure (although it
isn’t really)
å¦æä½ è¯å¾åä¸äºä¸å®å¨çäºæï¼ä½ ä¼å¾å°ç±»ä¼¼"Insecure dependency"æ"Insecure $ENV{PATH}"çè´å½é误ã
Laundering and Detecting Tainted Data æ¸æ´åæ£æµæ±¡ææ°æ®
æµè¯ä¸ä¸ªåéæ¯å¦å«æ污æçæ°æ®ï¼è°çç¨æ³ä¼å¼åä¸æ¡"Insecure dependency"ä¿¡æ¯ï¼å¨ä½éè¿çCPANéåæ¥æ¾Taint.pm模åï¼å®åºè¯¥å¨1997å¹´å·¦å³å°±å¯ä»¥å¾å° ãæèä½ å¯ä»¥ç¨is_tainted()å½æ°ã
sub is_tainted {
return ! eval { eval("#" .
substr(join("", @_), 0, 0)); 1 };
}
æ¤å½æ°å©ç¨äºâ表达å¼ä¸ä»»ä½ä¸é¨åå- å¨ç污ææ°æ®è´ä½¿æ´ä¸ªè¡¨è¾¾å¼é½è¢«æ±¡æâãæä½åæµè¯æ¯ä¸ªåæ°æ¯å¦è¢«æ±¡æä¼ä½¿æçä½ä¸ãç¸åï¼ç¨ç¨é«æä¸ç¨³å®çæ¹æ³æ¯ï¼åªè¦ä¸ä¸ªè¡¨è¾¾å¼ä¸- ä»»ä½ä¸é¨åååä¸ä¸ªè¢«æ±¡æçå¼ï¼é£ä¹è¿ä¸ªè¡¨è¾¾å¼è¢«è®¤ä¸ºæ¯è¢«æ±¡æçã
ä½æ¯ä»ä»æµè¯æ°æ®æ¯å¦è¢«æ±¡æè¿ä¸å¤ãææ¶ä½å¿é¡»æ¸é¤æ°æ®ç污æãå¯ä¸çéè¿æ±¡ææºå¶çæ¹æ³æ¯å¼ç¨æ- £å表达å¼ä¸çä¸ä¸ªå模å¼ãPerlåå®å¦æä½ ç¨$1, $2ççå¼ç¨ä¸ä¸ªå- 串ï¼é£ä¹ä½å°±ç¥éä½å¨åä»ä¹ãä¹å°±æ¯è¯´ä½å¿é¡»æèèä¸æ¯ç²ç®ç解é¤æ±¡æï¼æèè¿ææ´ä¸ªæºå¶ãæ¡éªåéæ¯å¦åªå«æ好çå- 符ï¼å·²ç¥ç好çå符ï¼æ¯æ£æ¥å®æ¯å¦å«æåçå- 符è¦å¥½ãæ¯å 为å¾å¯è½å°±æææä¹å¤çåå符æ¼æã
ä¸é¢çä¾åæ¯ä¸ä¸ªæ£æ¥æ°æ®ä¸æ¯å¦åªå«æåè¯ï¼åæ¯ãæ°åãä¸å线ï¼ãè¿å- 符ã’@’符å·æè毒.’ã
if ($data
=˜ /ˆ([-\@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die "Bad data in ’$data’"; # log this
somewhere
}
è¿å®å¨æ²¡æé®é¢ï¼å 为/1800/ä»ç论ä¸è®²ä¼ä¸å®å¨ï¼å 为å®å¹éä»»ä½å- 符ï¼èPerlå°ä¸åæ£æ¥å®ä»¬ãæ们çç»éªæ¯å½ä½è§£é¤æ±¡ææ¶ï¼å¿é¡»å¯¹å¹é模å¼æå¶çå°å¿ã使ç¨æ- £å表达å¼æ¸æ´æ°æ®æ¯è§£é¤æ±¡æçå¯ä¸æºå¶ï¼é¤éä½ä½¿ç¨ä¸é¢æ详ç»åè¿°çæ´¾çä¸ä¸ªç¹æ被éä½çå- è¿ç¨çæ¹æ³ã
å¦æç¨åºä¸ä½¿ç¨äºuse localeï¼é£ä¹ä¸é¢çä¾åå°ä¸ä¼è§£é¤$dataç污æï¼å 为72- 符æ¯ç±localeå³å®çãPerl认为localeçå®ä¹æ¯ä¸å¯ä¿¡çï¼å为å®ä»¬åå«ç¨åºä¹å¤ çæ°æ®ãå¦æä½å¨åä¸ä¸ªlocale-awareçç¨åºï¼å¹¶ä¸æ³ä½¿ç¨åå«840表达å¼ä¹ååä¸no localeãåè§perllocale/SECURITYä»¥è· å¾æ´å¤çä¿¡æ¯ã
å½ä½ä½¿èæ¬ç¨åºå¯æ§è¡ï¼å°±æ¯å¯ä»¥åå½ä»¤ä¸æ·è®©å®ä»¬å·¥ä½æ¶ï¼ç³»ç»ä¼æ"#!"è¡çå¼å³ä¼éç»PerlãPerlæ£æ¥setuidï¼æsetgidï¼ç¨åºçä»»ä½å"#!"è¡å¼å³å¹éçå½ä»¤è¡å¼å³ãä¸äºUnixæUnix-likeç³»ç»ç¯å¢å¼ºå¶å¨"#!"è¡ä½¿ç¨ä¸ä¸ªå¼å³ï¼æ以ä½ä¹è®¸å¿é¡»ç¨ç±»ä¼¼-wUçå¼å³èä¸æ¯-w -Uãï¼è¿ä¸ªé®é¢åªåºç°å¨æ¯æ#!ãsetuidãsetgidèæ¬çUnixæUnix-likeç³»ç»ç¯å¢ä¸- ï¼
Taint mode and @INC
When the taint mode ("-T") is in effect, the "." directory is removed from @INC, and the environment variables "PERL5LIB" and "PERLLIB" are ignored by Perl. You can still adjust @INC from outside the program by using the "-I" command line option as explained in perlrun. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the "-I" option is clearly visible and therefore permitted.
Another way to modify @INC without modifying the program, is to use the "lib" pragma, e.g.:
perl -Mlib=/foo program
The benefit of using "-Mlib=/foo" over "-I/foo", is that the former will automagically remove any duplicated directories, while the later will not.
Cleaning Up Your Path æ¸çè·¯å¾
对äº"Insecure $ENV{PATH}"è¿æ·çä¿¡æ¯ï¼ä½å¿é¡»æ$ENV{PATH}设置为已ç¥çï¼å¹¶ä¸è·¯å¾ä¸- çä»»ä½ç®å½é½å¯¹äºéæ¬ç¨æ·æéæ¬ç»æåä¸å¯åãä½ä¹è®¸ä¼å¨å³ä½¿è·¯å¾åæ¯å®å¨åæ³çæåµä¸æ¶å°é£æ¡ä¿¡æ¯è¡¨ç¤ºé常æ讶ãå½ä½æ²¡ææä¾ç¨åºä¸ä¸ªå®æ´çè·¯å¾æ¶ï¼å®ä¸ä¼è¢«å¼èµ·ï¼ç¸åï¼è¥ä½ä»æªè®¾ç½®PATHç¯å¢åéï¼æèä½æ²¡ææå®è®¾ç½®å®å¨ï¼å®å°±ä¼è¢«å¼èµ·ãå为Perlä¸è½ä¿è¯å¯ççå¯æ§è¡ç¨åºæ¯ä¸æ¯å®æ¬èº«å°æ§è¡å¶ä»çä¾èµäºPATHçç¨åºï¼å®ç¡®å®æ¯ä½è®¾å®çPATHã
PATHä¸æ¯å¯ä¸å¯è½å¯¼è´é®é¢çåéãå为ä¸äºshellä¼ä½¿ç¨IFSï¼CDPATHï¼ENVåBASH_ENVï¼Perlå¨å¼å§å- è¿ç¨æ¶æ£æ¥å®ä»¬æ¯å¦ä¹ä¸ºç©ºæèæªæ±¡æãä½ä¹è®¸ä¼å¨ä½çset-idå污ææ£æµæ¨¡å¼ä¸çèæ¬ç¨åºä¸- å å¥è¿äºä¸è¥¿ï¼
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # 使 %ENV æ´å®å¨
å½ç¶ï¼æ论æ¯å¦ä½¿ç¨æ±¡æåéé½æå¯è½åºç°éº»ç¦ãå¨å¤çä»»ä½ç±ç¨æ·æä¾çæ件åçæ件æ¶ï¼è¦åå¨å¯çæµè¯ãå¿é¡»æ¶ï¼å¯ä»¥å¨å»æç¨æ·ï¼æç»ï¼ï¼çç¹æä¹ååè¿è¡ç±»ä¼¼opençæä½ãPerlä¸é»æ- ¢ä½æå¼æ±¡æçæ件å并读åå容ï¼æ以è¦å°å¿å¯¹å¾æå°åºçå容ã污ææºå¶çç®çæ¯é²æ- ¢æè ¢çé误ï¼ä¸æ¯ä½¿äººææ°ä¸å»æèã
å½ä½ ä¼ éç»systemåexecæç¡®çåæ°å表èéå«æéé符çå- 符串æ¶ï¼Perlä¸ä¼è°ç¨shellå»æ©å±éé符ãä¸å¹¸çæ¯ï¼openï¼globï¼backtickï¼è¯æ³¨ï¼backtick为åå¼å·ï¼å½æ°å¹¶ä¸æä¾è¿æ·çç¹æ§ï¼æ以å½ä½¿ç¨å®ä»¬çæ¶åå¿é¡»é常ä»ç»ã
Perl为ä»ä¸ä¸ªsetuidæsetgidç¨åºæå¼æ件æ管éæä¾äºä¸ä¸ªå®å¨çæ¹æ³ï¼å建ä¸ä¸ªåå°æéçå- è¿ç¨æ¥ä¸ºä½ å®æé£äºâè®èâçå·¥ä½ãé¦åï¼ç¨ç¹æ®çOPENè¯æ³å建ä¸ä¸ªå- è¿ç¨ï¼ä½¿å¶åç¶è¿ç¨éè¿ä¸ä¸ªç®¡éç¸è¿ãç°å¨å- è¿ç¨æå®çIDåå¶ä»è¯¸å¦ç¯å¢åéï¼umaskï¼å½åå·¥ä½ç®å½çæ§è´¨éæ°è®¾ç½®ååå§çæå®å¨çåéãç¶å让该ä¸å·æä»»ä½ç¹æçå- è¿ç¨æ¥å®æOPENåå¶ä»çç³»ç»è°ç¨ãæç»ï¼åè¿ç¨æå®æåå- åçæ°æ®ä¼ éç»ç¶è¿ç¨ãå 为æ件æ管éæ¯ç±è¿è¡äºæ¯ç¶è¿ç¨æéä½çå- è¿ç¨æå¼çï¼æ以å®ä¸å®¹æ被欺éªå»åå®ä¸è¯¥åçäºæã
è¿éæä¸ä¸ªå®å¨ä½¿ç¨backtickçæ¹æ³ã注æå½shellå¯è½æ©å±æ¶ï¼execæ¯å¦ä½ä¸è¢«è°ç¨çãè¿æ¯ç®åæ¥è°ç¨å¯è½è¢«shell转ä¹çä¸è¥¿æ好çæ¹æ³ï¼ä»ä¸è°ç¨shellã
use English
’-no_match_vars’;
die "Can’t fork: $!" unless defined($pid =
open(KID, "-⎪"));
if ($pid) { # parent
while (<KID>) {
# do something
}
close KID;
} else {
my @temp = ($EUID, $EGID);
my $orig_uid = $UID;
my $orig_gid = $GID;
$EUID = $UID;
$EGID = $GID;
# Drop privileges
$UID = $orig_uid;
$GID = $orig_gid;
# Make sure privs are really gone
($EUID, $EGID) = @temp;
die "Can’t drop privileges"
unless $UID == $EUID && $GID eq $EGID;
$ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH.
# Consider sanitizing the environment even more.
exec ’myprog’, ’arg1’,
’arg2’
or die "can’t exec myprog: $!";
}
使ç¨ç±»ä¼¼ççç¥å¯ä»¥è®©glob使ç¨éé符æ©å±ï¼è½ç¶ä¹å¯ä»¥ç¨readdirã
å½ä½è½ç¶ç¸ä¿¡èªå·±å¹¶æ²¡æåæé®é¢çç¨åºï¼ä½å¹¶ä¸ä¿¡ä»»ç¨åºçæç»ä½¿ç¨èä¸ä¼ä¼å¾è®©å®ååäºæ¶ï¼æ±¡ææ£æµæ为æç¨ãæ- ¤ç±»å®å¨æ£æ¥å¯¹set-idå以å¶ä»ç¨æ·èº«ä»½è¿è¡çç¨åºï¼å¦CGIï¼é常æç¨ã
è¥è¿ç¨åºçä½èé½ä¸å¯ä¿¡çè¯ï¼æåµå°±ä¸åäºãå½æ人ç»ä½ä¸æ®µç¨åºå¹¶åä½è¯´ï¼âç»ï¼è¯è¯çãâ对äºæ- ¤ç±»å®å¨é®é¢ï¼ä½¿ç¨åå«å¨Perlåè¡çä¸- çSafe模åãè¿ä¸ªæ¨¡åå许ç¨åºå建ç«ç¹æ®çéé´ï¼å¨å¶ä¸- ææçç³»ç»è°ç¨é½è¢«æªè·ï¼å¹¶ä¸åå空é´å¥å£è¢«ä¸¥æ ¼æ§å¶ã
Security Bugs å®å¨é®é¢
é¤äºæºäºèµäºåèæ¬ä¸æ ·çµæ´»çç³»ç»ç¹æè¿ç±»ææ¾çé®é¢ï¼å¨è®¸å¤Unixçæ¬ä¸- ï¼set-idèæ¬ä»ä¸å¼å§å°±æ¯å¤©çä¸å®å¨çãé®é¢åºå¨åæ¸çæ¡ä»¶ç«äºãå¨åæ¸æå¼æ件æ¥æ¥çåºè¯¥è¿è¡åªä¸ªè§£éå¨åå½ï¼ç°å¨å·²set-idï¼è§£éå¨åè¿å¤´æ¥éæ°æå¼æ件并解éå®çè¿ä¸¤ä¸ªäºä»¶ä¹é´ï¼å¯ççæ件ä¹è®¸å·²ç»æ¹åäºï¼ç¹å«æ¯å½ç³»ç»ä¸- æ符å·è¿æ¥æ¶ã
幸è¿çæ¯ï¼è¿ä¸ªåæ ¸çâç¹æ§âææ¶å¯ä»¥è¢«å³éãä¸å¹¸çæ¯ï¼æ两个æ¹æ³æ¥å³é- å®ãç³»ç»å¯ä»¥ç®åç宣å¸ä»»ä½å«æset-idä½çèæ¬é½æ¯ä¸åæ³çï¼è¿ä¸ªæ¾ç¶ç¨å¤ä¸å¤§ãå¦ä¸ä¸ªæ¯å¿½ç¥èæ¬ä¸- çset-idä½ãå¦æåè被设置为çï¼é£ä¹å½Perl注æå°å¶å®èæ¬ä¸- æ æçsetuid/gidä½æ¶,å®å¯ä»¥æ¨¡ä»¿ setuidåsetgidçæºå¶ãè¿æ¯éè¿ä¸ä¸ªå«åsuidperlçç¹æ®ç¨åºæ¥å®ç°çï¼å®å¨éè¦æ¶èªå¨è¢«è°ç¨ã
ä½æ¯ï¼å¦æåæ ¸çset-idèæ¬ç¹æ§æ²¡æ被å³é- ï¼Perlå°±ä¼å¤§å£°æ±æ¨ä½ çset-idç¨åºæ¯ä¸å®å¨çãä½ è¦ä¹éè¦å³é- åæ ¸çset-idèæ¬ç¹æ§ï¼è¦ä¹ä¸ºèæ¬å¶ä½ä¸ä¸ªC Wrapperãä¸ä¸ªC Wrapperå°±æ¯ä¸ä¸ªé¤äºè°ç¨ä½çPerlç¨åºå¶ä»ä»ä¹é½ä¸å¹²çå·²ç¼è¯ç¨åºãå·²ç¼è¯ç¨åºä¸åæ- ¤åæ ¸é®é¢çå½±åå»æ¾set-idèæ¬ç麻ç¦ãè¿éæä¸ä¸ªç®åçC Wrapperï¼
#define
REAL_PATH "/path/to/script"
main(ac, av)
char **av;
{
execv(REAL_PATH, av);
}
ææ¤C Wrapperç¼è¯æå¯æ§è¡äºè¿å¶æ件ï¼å¯¹å®setuidæsetgidèä¸æ¯ä½ çèæ¬ã
è¿å å¹´ï¼è½¯ä»¶åå¼å§æä¾æ²¡ææ¤å®å¨é®é¢çç³»ç»ãå¨å®ä»¬ä¸- ï¼å½åæ ¸æå°è¦è¢«æå¼çset-idèæ¬çåå- ä¼éç»è§£éå¨æ¶ï¼å®å°ä¸ä¼ä¼éå¯è½åºç°é®é¢çè·¯å¾åèæ¯ä¼é/dev/fd/3ãè¿æ¯ä¸ä¸ªå·²ç»å¨èæ¬ä¸æå¼çç¹æ®æ件ï¼æ以å°ä¸ä¼åºç°æ¡ä»¶ç«äºé®é¢ãå¨è¿äºç³»ç»ä¸- ï¼Perléè¦å¨ç¼è¯æ¶å¸¦ä¸-DSETUID_SCRIPTS_ARE_SECURE_NOWåæ°ãConfigureç¨åºå°èªå·±å®æè¿ä¸ªä»»å¡ï¼æ以ä½æ°¸è¿ä¸å¿è¦èªå·±æåºæ- ¤ç¹ãç°å¨SVR4åBSD4.4é½éç¨æ¤ç§æ¹æ³æ¥é¿ååæ ¸æ¡ä»¶ç«äºã
å¨Perl 5.6.1 åè¡ä¹åï¼suidperlç代ç é®é¢å¯è½å¯¼è´å®å¨æ¼æ´ã
Protecting Your Programs ä¿æ¤ä½ çç¨åº
æå¾å¤ç§æ¹æ³å¯ä»¥éèä½ çPerlç¨åºæºä»£ç ï¼å®ä»¬å·æä¸åç级çâå®å¨æ§âã
é¦åï¼ä½ä¸è½å»æâ读âæéï¼å为æºä»£çå¿é¡»å¨è¢«è¯»åä¹åæè½ç¼è¯å解éãï¼è¿å¹¶ä¸æå³çCGIèæ¬çæºä»£çå¨ç½ä¸æ¯å¯è¢«è¯»åçï¼æ以ä½å¿é¡»ææé设置为对å¤çå好ç0755ãè¿ä½¿å¨ä½æ¬å°ç³»ç»ä¸ç人åªè½æ¥çæºä»£çã
ä¸äºäººé误ç认为è¿æ¯ä¸ä¸ªå®å¨é®é¢ãå¦æä½çç¨åºä¸å®å¨ï¼èä½ä¾èµäººä»¬ä¸ç¥éå¦ä½å©ç¨è¿äºæ¼æ´ï¼è¿æ¯ä¸å®å¨çãé常æäºäººå¨æ²¡æçæºä»£ççæåµä¸å°±å¯ä»¥å©ç¨è¿äºæ¼æ´ã以éèæ¥å®ç°æè°çâå®å¨âèä¸æ¯ä¿®å¤æ¼æ´ï¼æ¯é常ä¸å®å¨çã
ä½å¯ä»¥è¯çéè¿æºä»£çè¿æ»¤å¨ï¼CPANä¸çFilter::*ï¼æ¥å®ç°åå¯ãä½æ¯éªå®¢æå¯è½æå®è§£å¯ãä½å¯ä»¥è¯ç使ç¨ä¸é¢æè¿°çå- èçç¼è¯å¨å解éå¨ï¼ä½æ¯éªå®¢æå¯è½æå®åç¼è¯ãè¿äºå¯¹æ³çä½ä»£çç人éæä¸åé¾åº¦çå°é¾ãä½æ¯æ²¡æä¸ç§å¯ä»¥å®å¨çé¿åï¼ä¸åæ¯Perlï¼ææè¯- è¨é½ä¸æ ·ï¼ã
å¦æä½æå¿æ人ä¼éè¿ä½çç¨åºå¾å©ï¼é£ä¹ä½å¯ä»¥å¨æä½è¡åä¸ä¸ªéå¶æ§ç许å¯è¯æ¥å¯»æ±æ³å¾ä¿æ¤ãå½ç¶å¦æä½ç¨ç±»ä¼¼âè¿æ¯ææå¬å¸çç§äººç¨åºï¼ä½ææ使ç¨å®âç声ææ¥ææä½ç软件并åå¸å®çè¯ï¼é£ä¼æ¯é常å±é©çãä½åºè¯¥æ¾ä¸ä¸ªå¾å¸ç¡®å®ä½ç许å¯è¯çæªè¾å¯ä»¥å¨æ³åº- ä¸ç«å¾ä½èã
Unicode
Unicode is a new and complex technology and one may easily overlook certain security pitfalls. See perluniintro for an overview and perlunicode for details, and "Security Implications of Unicode" in perlunicode for security implications in particular.
Algorithmic Complexity Attacks
Certain internal algorithms used in the implementation of Perl can be attacked by choosing the input carefully to consume large amounts of either time or space or both. This can lead into the so-called Denial of Service (DoS) attacks.
|
• |
Hash Function - the algorithm used to "order" hash elements has been changed several times during the development of Perl, mainly to be reasonably fast. In Perl 5.8.1 also the security aspect was taken into account. |
In Perls before 5.8.1 one could rather easily generate data that as hash keys would cause Perl to consume large amounts of time because internal structure of hashes would badly degenerate. In Perl 5.8.1 the hash function is randomly perturbed by a pseudorandom seed which makes generating such naughty hash keys harder. See " PERL_HASH_SEED " in perlrun for more information.
The random perturbation is done by default but if one wants for some reason emulate the old behaviour one can set the environment variable PERL_HASH_SEED to zero (or any other integer). One possible reason for wanting to emulate the old behaviour is that in the new behaviour consecutive runs of Perl will order hash keys differently, which may confuse some applications (like Data::Dumper: the outputs of two different runs are no more identical).
Perl has never guaranteed any ordering of the hash keys, and the ordering has already changed several times during the lifetime of Perl 5. Also, the ordering of hash keys has always been, and continues to be, affected by the insertion order.
Also note that while the order of the hash elements might be randomised, this "pseudoordering" should not be used for applications like shuffling a list randomly (use List::Util::shuffle() for that, see List::Util, a standard core module since Perl 5.8.0; or the CPAN module Algorithm::Numerical::Shuffle), or for generating permutations (use e.g. the CPAN modules Algorithm::Permute or Algorithm::FastPermute), or for any cryptographic applications.
|
• |
Regular expressions - Perl’s regular expression engine is so called NFA (Non-Finite Automaton), which among other things means that it can rather easily consume large amounts of both time and space if the regular expression may match in several ways. Careful crafting of the regular expressions can help but quite often there really isn’t much one can do (the book "Mastering Regular Expressions" is required reading, see perlfaq2). Running out of space manifests itself by Perl running out of memory. | ||
|
• |
Sorting - the quicksort algorithm used in Perls before 5.8.0 to implement the sort() function is very easy to trick into misbehaving so that it consumes a lot of time. Nothing more is required than resorting a list already sorted. Starting from Perl 5.8.0 a different sorting algorithm, mergesort, is used. Mergesort is insensitive to its input data, so it cannot be similarly fooled. |
See <http://www.cs.rice.edu/˜scrosby/hash/> for more information, and any computer science text book on the algorithmic complexity.
SEE ALSO åè§
perlrunä¸å³äºæ¸çç¯å¢åéçæè¿°
ä¸æçç»´æ¤äºº
nan1nan1 <nan1nan1@hotmail.com>
ä¸æçææ°æ´æ°
2001å¹´12æ23æ¥æææ¥
ä¸ææå页翻è¯è®¡å
http://cmpp.linuxforum.net
è·
æ¬é¡µé¢ä¸æçç±ä¸æ
man
æå页计åæä¾ã
ä¸æ man
æå页计åï¼https://github.com/man-pages-zh/manpages-zh