SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter , or cause a denial of service. She can also modify values, perhaps by using the %n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005]; nonetheless the danger is sufficiently great that the formatted output functions {{sprintf() and printf() should never be passed unsanitized format strings.

...

Code Block
bgColor#ffcccc
langperl
my $host = `hostname`;
chop($host);
my $prompt = "$ENV{USER}\@$host";

sub validate_password {
  my ($prompt, $password) = @_;
  my $is_ok = ($password eq "goodpass");
  printf "$prompt: Password ok? %d\n", $is_ok;
  return $is_ok;
};

my $host = `hostname`;
chop($host);
my $prompt = "$ENV{USER}\@$host";
if (validate_password( $prompt, $ARGV[0])) {
  print "$prompt: access granted\n";
} else {
  print "$prompt: access denied\n";
};

The program works as expected as long as the user name and host name are benign:

...

In this invocation, the malicious user name user%n was incomprorated incorporated into the $prompt string. When fed to the printf() call inside validate_password(), the %n instructed Perl to fill the first format string argument with the number of characters printed. This , which caused Perl to set the $is_ok variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.

...

Code Block
bgColor#ccccff
langperl
sub validate_password {
  my ($prompt, $password) = @_;
  my $is_ok = ($password eq "goodpass");
  print "$prompt: Password ok? $is_ok\n";
  return $is_ok;
};

# ...

...

Automated Detection

Perl's Taint taint mode provides partial detection of unsanitized input in format strings.

Perl's warnings can detect if a call to printf() or sprintf() contains the wrong number of format string arguments.

Tool

Diagnostic

 Warnings

Missing argument in .*printf

Taint modeInsecure dependency in .*printf

Related Guidelines

SEI CERT C

...

Coding Standard

...

FIO30-C. Exclude user input from format strings
SEI CERT C++

...

Coding Standard

...

VOID FIO30-CPP. Exclude user input from format strings

...

CERT Oracle Secure Coding Standard for Java

...

IDS06-J. Exclude unsanitized user input from format strings
MITRE CWE

...

CWE-134, "Uncontrolled format string"

Bibliography

[Christey 2005]Format string vulnerabilities in Perl programs
[Seacord 2005]Chapter 6, "Formatted Output"
[VU#948385]

...

Perl contains an integer sign error in format string processing

...

[Wall 2011]perlfunc

 

...

Image Added Image Added Image Added01. Input Validation and Data Sanitization    01. Input Validation and Data Sanitization     02. Declarations and Initialization