[perl #117265] safesyscalls: check embedded nul in syscall args

Check for the nul char in pathnames and string arguments to syscalls, return undef and set errno to ENOENT. Added to the io warnings category syscalls. Strings with embedded \0 chars were prev. ignored in the syscall but kept in perl. The hidden payloads in these invalid string args may cause unnoticed security problems, as they are hard to detect, ignored by the syscalls but kept around in perl PVs. Allow an ending \0 though, as several modules add a \0 to such strings without adjusting the length. This is based on a change originally by Reini Urban, but pretty much all of the code has been replaced.
author: Tony Cook <tony@develop-help.com> 2013-08-26 11:26:19 +1000
committer: Tony Cook <tony@develop-help.com> 2013-08-26 14:06:16 +1000
commit: c8028aa68dedb3c7683abb0bcf0fdba782a1190e (patch)
tree: 0c1acb4263f2d3d1b08e2e42d1ad18b2686617d8 /doio.c
parent: 5f7c1602dfa694a4a6761e9e4fc077ce794f7ff0 (diff)
download: perl-c8028aa68dedb3c7683abb0bcf0fdba782a1190e.tar.gz
1 files changed, 21 insertions, 4 deletions
diff --git a/doio.c b/doio.c
index b24a5b4d67..d79bf44da7 100644
--- a/doio.c
+++ b/doio.c
@@ -216,6 +216,9 @@ Perl_do_openn(pTHX_ GV *gv, const char *oname, I32 len, int as_raw,
 		goto say_false;
 	    }
 #endif /* USE_STDIO */
+	    if (!IS_SAFE_PATHNAME(*svp, "open"))
+                goto say_false;
+
 	    name = (SvOK(*svp) || SvGMAGICAL(*svp)) ?
 			savesvpv (*svp) : savepvs ("");
 	    SAVEFREEPV(name);
@@ -1660,8 +1663,10 @@ Perl_apply(pTHX_ I32 type, SV **mark, SV **sp)
 		else {
 		    const char *name = SvPV_nomg_const_nolen(*mark);
 		    APPLY_TAINT_PROPER();
-		    if (PerlLIO_chmod(name, val))
-			tot--;
+                    if (!IS_SAFE_PATHNAME(*mark, "chmod") ||
+                        PerlLIO_chmod(name, val)) {
+                        tot--;
+                    }
 		}
 	    }
 	}
@@ -1694,8 +1699,10 @@ Perl_apply(pTHX_ I32 type, SV **mark, SV **sp)
 		else {
 		    const char *name = SvPV_nomg_const_nolen(*mark);
 		    APPLY_TAINT_PROPER();
-		    if (PerlLIO_chown(name, val, val2))
+                    if (!IS_SAFE_PATHNAME(*mark, "chown") ||
+                        PerlLIO_chown(name, val, val2)) {
 			tot--;
+                    }
 		}
 	    }
 	}
@@ -1795,7 +1802,10 @@ nothing in the core.
 	while (++mark <= sp) {
 	    s = SvPV_nolen_const(*mark);
 	    APPLY_TAINT_PROPER();
-	    if (PerlProc_geteuid() || PL_unsafe) {
+	    if (!IS_SAFE_PATHNAME(*mark, "unlink")) {
+                tot--;
+            }
+	    else if (PerlProc_geteuid() || PL_unsafe) {
 		if (UNLINK(s))
 		    tot--;
 	    }
@@ -1873,6 +1883,10 @@ nothing in the core.
 		else {
 		    const char * const name = SvPV_nomg_const_nolen(*mark);
 		    APPLY_TAINT_PROPER();
+		    if (!IS_SAFE_PATHNAME(*mark, "utime")) {
+                        tot--;
+                    }
+                    else
 #ifdef HAS_FUTIMES
 		    if (utimes(name, (struct timeval *)utbufp))
 #else
@@ -2365,6 +2379,9 @@ Perl_start_glob (pTHX_ SV *tmpglob, IO *io)
 
     PERL_ARGS_ASSERT_START_GLOB;
 
+    if (!IS_SAFE_SYSCALL(tmpglob, "pattern", "glob"))
+        return NULL;
+
     ENTER;
     SAVEFREESV(tmpcmd);
 #ifdef VMS /* expand the wildcards right here, rather than opening a pipe, */
author	Tony Cook <tony@develop-help.com>	2013-08-26 11:26:19 +1000
committer	Tony Cook <tony@develop-help.com>	2013-08-26 14:06:16 +1000
commit	c8028aa68dedb3c7683abb0bcf0fdba782a1190e (patch)
tree	0c1acb4263f2d3d1b08e2e42d1ad18b2686617d8 /doio.c
parent	5f7c1602dfa694a4a6761e9e4fc077ce794f7ff0 (diff)
download	perl-c8028aa68dedb3c7683abb0bcf0fdba782a1190e.tar.gz