diff options
author | Jarkko Hietaniemi <jhi@iki.fi> | 2000-03-18 19:56:12 +0000 |
---|---|---|
committer | Jarkko Hietaniemi <jhi@iki.fi> | 2000-03-18 19:56:12 +0000 |
commit | 4602f195a9a943db1cd284ff4af1bcdb58f98ead (patch) | |
tree | 318b2ecd0c5ff35fe7c75032292774679bcd1f36 | |
parent | b448e4fea9d52c651a1814ffb2d1d8745f1f0de9 (diff) | |
download | perl-4602f195a9a943db1cd284ff4af1bcdb58f98ead.tar.gz |
Taint the shell from the getpw*.
p4raw-id: //depot/cfgperl@5805
-rw-r--r-- | pod/perldelta.pod | 5 | ||||
-rw-r--r-- | pod/perlfunc.pod | 46 | ||||
-rw-r--r-- | pod/perlsec.pod | 21 | ||||
-rw-r--r-- | pp_sys.c | 4 |
4 files changed, 46 insertions, 30 deletions
diff --git a/pod/perldelta.pod b/pod/perldelta.pod index 39bb0330ee..8904889c77 100644 --- a/pod/perldelta.pod +++ b/pod/perldelta.pod @@ -206,6 +206,11 @@ will produce different results on platforms that have different $Config{ivsize}. For portability, be sure to mask off the excess bits in the result of unary C<~>, e.g., C<~$x & 0xffffffff>. +=head2 The shell returned by the getpwxxx() is now tainted + +Because the user can affect her own login shell the shell returned +by the getpwent(), getpwnam(), and getpwuid() functions is tainted. + =back =head2 C Source Incompatibilities diff --git a/pod/perlfunc.pod b/pod/perlfunc.pod index f14b8bb04b..2c55a95aa0 100644 --- a/pod/perlfunc.pod +++ b/pod/perlfunc.pod @@ -1859,6 +1859,13 @@ various get routines are as follows: (If the entry doesn't exist you get a null list.) +The exact meaning of the $gcos field varies but it usually contains +the real name of the user (as opposed to the login name) and other +information pertaining to the user. Beware, however, that in many +system users are able to change this information and therefore it +cannot be trusted and therefore the $gcos is is tainted (see L<perlsec>). +The $shell, user's login shell, is also tainted, because of the same reason. + In scalar context, you get the name, unless the function was a lookup by name, in which case you get the other thing, whatever it is. (If the entry doesn't exist you get the undefined value.) For example: @@ -1871,26 +1878,25 @@ lookup by name, in which case you get the other thing, whatever it is. $name = getgrent(); #etc. -In I<getpw*()> the fields $quota, $comment, and $expire are -special cases in the sense that in many systems they are unsupported. -If the $quota is unsupported, it is an empty scalar. If it is -supported, it usually encodes the disk quota. If the $comment -field is unsupported, it is an empty scalar. If it is supported it -usually encodes some administrative comment about the user. In some -systems the $quota field may be $change or $age, fields that have -to do with password aging. In some systems the $comment field may -be $class. The $expire field, if present, encodes the expiration -period of the account or the password. For the availability and the -exact meaning of these fields in your system, please consult your -getpwnam(3) documentation and your F<pwd.h> file. You can also find -out from within Perl what your $quota and $comment fields mean -and whether you have the $expire field by using the C<Config> module -and the values C<d_pwquota>, C<d_pwage>, C<d_pwchange>, C<d_pwcomment>, -and C<d_pwexpire>. Shadow password files are only supported if your -vendor has implemented them in the intuitive fashion that calling the -regular C library routines gets the shadow versions if you're running -under privilege. Those that incorrectly implement a separate library -call are not supported. +In I<getpw*()> the fields $quota, $comment, and $expire are special +cases in the sense that in many systems they are unsupported. If the +$quota is unsupported, it is an empty scalar. If it is supported, it +usually encodes the disk quota. If the $comment field is unsupported, +it is an empty scalar. If it is supported it usually encodes some +administrative comment about the user. In some systems the $quota +field may be $change or $age, fields that have to do with password +aging. In some systems the $comment field may be $class. The $expire +field, if present, encodes the expiration period of the account or the +password. For the availability and the exact meaning of these fields +in your system, please consult your getpwnam(3) documentation and your +F<pwd.h> file. You can also find out from within Perl what your +$quota and $comment fields mean and whether you have the $expire field +by using the C<Config> module and the values C<d_pwquota>, C<d_pwage>, +C<d_pwchange>, C<d_pwcomment>, and C<d_pwexpire>. Shadow password +files are only supported if your vendor has implemented them in the +intuitive fashion that calling the regular C library routines gets the +shadow versions if you're running under privilege. Those that +incorrectly implement a separate library call are not supported. The $members value returned by I<getgr*()> is a space separated list of the login names of the members of the group. diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 40374870a1..e61316511c 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -33,16 +33,17 @@ You may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see L<perllocale>), results of certain system calls (readdir, readlink, -the gecos field of getpw* calls), and all file input are marked as -"tainted". Tainted data may not be used directly or indirectly in any -command that invokes a sub-shell, nor in any command that modifies -files, directories, or processes. (B<Important exception>: If you pass -a list of arguments to either C<system> or C<exec>, the elements of -that list are B<NOT> checked for taintedness.) Any variable set -to a value derived from tainted data will itself be tainted, -even if it is logically impossible for the tainted data -to alter the variable. Because taintedness is associated with each -scalar value, some elements of an array can be tainted and others not. +the gecos and shell fields of getpw* calls), and all file input are +marked as "tainted". Tainted data may not be used directly or +indirectly in any command that invokes a sub-shell, nor in any command +that modifies files, directories, or processes. (B<Important +exception>: If you pass a list of arguments to either C<system> or +C<exec>, the elements of that list are B<NOT> checked for +taintedness.) Any variable set to a value derived from tainted data +will itself be tainted, even if it is logically impossible for the +tainted data to alter the variable. Because taintedness is associated +with each scalar value, some elements of an array can be tainted and +others not. For example: @@ -4868,6 +4868,10 @@ PP(pp_gpwent) PUSHs(sv = sv_mortalcopy(&PL_sv_no)); sv_setpv(sv, pwent->pw_shell); +#ifndef INCOMPLETE_TAINTS + /* pw_shell is tainted because user himself can diddle with it. */ + SvTAINTED_on(sv); +#endif #ifdef PWEXPIRE PUSHs(sv = sv_mortalcopy(&PL_sv_no)); |