Tim,
Thanks for writing a patch so quickly. Unfortunately, I don't think I
want to apply the whole thing. Here is my rationale:
It seems that you are attempting to lock down the config file so that
only Inline can write to it. But this is not what I want to do. It was
always my intent that you could edit the config file by hand; if you
know what you're doing. I even have plans to add some functionality so
that Inline gets its default options from that 'config'.
Anyway, putting in a MD5 hash doesn't protect the file, because you
could add such a hash to any file, even if it were "tainted" (so to
speak). I could alter the config file by hand, and run 'md5sum' to get a
new key and plop it in.
As far as security goes, you should always be the only person with write
access to your '.Inline/config' file. In most cases, each user will have
their own '.Inline/' directory. (I have several :) That's why I think
that putting the '.Inline/' directory in '/tmp/' is a bad idea.
(Susceptible to taint-type attacks.) Inline.pm no longer looks in
'/tmp/' like it used to. In the case of CGI, I recommend precompiling
your Inline code as a normal user, and giving the 'nobody' user
read-only access.
These issues are totally open to discussion. I'm not an expert on much.
I just want to do what is the most right thing.
So back to the taint patch. I assume (not being a taint person) that the
working end of the patch is:
+ # Untaint.
+ $config =~ /^(.*)\z/s;
+ $config = $1;
Is that the only thing that needs fixing for Inline to be taint-safe? If
so I'll release 0.32 this week. If not, please give me a patch that just
untaints the offending code so that Inline will work in -T environments.
If I'm missing the point and opening gaping security holes, I want to
know that as well.
Thanks again for donating your time to this.
Cheers, Brian
Tim Gim Yee wrote:
>
> On Tue, 6 Feb 2001, Brian Ingerson wrote:
>
> > I will not be able to fix this myself until mid-March. But I
> > would be happy to apply a patch if anyone wants to take this up.
> >
> > Stas Bekman wrote:
> > > Apparently Inline.pm is not taint clean, I've discovered it while using
>
> The following patch will untaint the contents of the config file. The
> first line of the config file is now an MD5 "fingerprint" which is checked
> before untainting. If you apply this patch, you will need to delete your
> current config file so Inline can recreate it.
>
> --- Inline-0.31/Inline.pm Sat Jan 13 23:02:12 2001
> +++ Inline.pm Tue Feb 6 14:29:59 2001
> @@ -342,10 +342,20 @@
> $o->create_config_file("$DIRECTORY/config") if not -e "$DIRECTORY/config";
>
> open CONFIG, "< $DIRECTORY/config"
> - or croak "Can't open ${DIRECTORY}config for input\n";
> + or croak "Can't open $DIRECTORY/config for input\n";
> + my $digest = <CONFIG>;
> my $config = join '', <CONFIG>;
> close CONFIG;
>
> + # Check that file contents haven't been altered.
> + chomp $digest;
> + $digest eq md5_hex($config)
> + or croak("MD5 digest mismatch in $DIRECTORY/config\n");
> +
> + # Untaint.
> + $config =~ /^(.*)\z/s;
> + $config = $1;
> +
> delete $main::{Inline::config::};
> eval <<END;
> ;package Inline::config;
> @@ -424,15 +434,20 @@
> my $types = Data::Dumper::Dumper(\%types);
> my $modules = Data::Dumper::Dumper(\%modules);
> my $suffixes = Data::Dumper::Dumper(\%suffixes);
> -
> - open CONFIG, "> $file" or croak "Can't open $file for output\n";
> - print CONFIG <<END;
> +
> + my $config = <<END;
> \$version = $Inline::VERSION;
> %languages = %{$languages};
> %types = %{$types};
> %modules = %{$modules};
> %suffixes = %{$suffixes};
> END
> +
> + # Add a bit of security.
> + $config = md5_hex($config) . "\n$config";
> +
> + open CONFIG, "> $file" or croak "Can't open $file for output\n";
> + print CONFIG $config;
> close CONFIG;
> }
>
> #==============================================================================
>
> --
> Tim Gim Yee
> [EMAIL PROTECTED]
--
perl -le 'use Inline C=>q{SV*JAxH(char*x){return newSVpvf
("Just Another %s Hacker",x);}};print JAxH+Perl'
