tags:

views:

108

answers:

3
Q: 

What's the minimal set of characters I need to filter before passing a string to a system call?

Assume that the following Perl code is given:

my $user_supplied_string = &retrieved_from_untrusted_user();
$user_supplied_string =~ s/.../.../g; # filtering done here
my $output = `/path/to/some/command '${user_supplied_string}'`;

The code is clearly insecure, but assume that the only thing that can be changed is the filtering code on line #2.

My question:

  • What is the minimal set of characters that needs to be filtered on line #2 to make the above code secure?

Please note:

  • Whitelisting is not an option in this case, so please keep your answer focused on what to filter out to make it secure. And more specifically; what is the minimal set of characters to filter out to make it secure? Everything else is off-topic.
  • Make sure your answer addresses the question stated ("What is the minimal set of characters that needs to be filtered on line #2 to make the above code secure?"). If your answer does not address that very specific question then don't post. Thanks.
+5  A: 

First, given that you are concerned with security, I suggest you look into taint mode. As for the minimal set of characters to allow to be visible to shell, you are better off not letting any characters be seen by the shell:

my $output = do {
    local $/;
    open my $pipe, "-|", "/path/to/some/command", $user_supplied_string
        or die "could not run /path/to/some/command: $!";
    <$pipe>;
};
Chas. Owens  2009-09-05 17:40:50
A: 
Adam Bellaire  2009-09-05 21:12:40
A: 

The set of characters that you allow depend on what the application in that system call is going to do with them. There's the shell special characters, but that's ony one part of the problem. You also have to ensure that the value you give to the command is valid input, and that requires some more work.

See, for instance, my chapter on security in Mastering Perl where I go into the gory details of the problem.

Perhaps you can explain why your problem ties both your hands behind your back and blindfolds you. Your problem isn't technical if those are your constraints.

brian d foy  2009-09-07 16:10:03

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security