Hacker News new | past | comments | ask | show | jobs | submit login

True but perl makes it amazingly easy to exploit.

Suppose that you know the source contains this line:

  open(file_handler, "$userinput");
How much work and what assumptions do you need to exploit this? In perl it's that easy:

  $userinput = "cat /etc/passwd |zenity --text-info |";
  open(file_handler, "$userinput");

> Suppose that you know the source contains this line

Then you have a massive damn problem, and you could set up the same strawman about almost any language - if you're starting from the premise that you are piping arbitrary user input to a system call unimpeded, all bets are off.

Shall we try some other examples? Let's say you accept input from a user, and dump it unchecked in to output shown to the user via Ruby. OH NOES! Ruby is insecure because it supports CSRF! Or, let's say you use Python and pass in input from a user unimpeded straight to the database without using the quoting mechanisms! OH NOES! Python is insecure because it enables SQL injections! etc etc etc

But wait! you say... Sensible programming languages have specific features to stop these kinds of attacks! And you're right. That's why Perl has taint mode... for when you're dumb enough to pass user input straight to open: http://perldoc.perl.org/perlsec.html#Taint-mode

I'm in no secret quest to stain Perl's reputation you know... Just illustrating how easy it is to exploit unchecked user input in the open() function. It just happens that this particular exploit is way easier in Perl than any other language I know.

Of course we should not extrapolate from this to make a judgment on the language. Of course it's nice that security mechanisms are available to alleviate this issue.

Do you usually try $UserInput $Userinput $userInput $user_input etc. when you do that?

It couldn't run your code if it had an uninitialized variable in it, right?

It's vulnerable because the user controls the content of $userinput, the variable name doesn't matter. Real code would look like this:


  print "Enter filename: ";
  $filename = <STDIN>;
  open(file_handler, "$filename");
If you see this code, you know that you can execute any command by giving it at the filename prompt and appending a '|' character. For example giving cat /etc/passwd |zenity --text-info | will popup a dialog with the content of /etc/passwd.

Oh I see, I thought you were talking about something that would be caught by the interpreter if you put

    use strict;

    use warnings;
in there. Thank you for taking the time to put in an example, I understand you better now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact