当前位置: 文江博客话题详情

我以前未受污染的数据怎么会再次受到污染?

发布于 2024-09-16 11:42:20 字数 2896 浏览 5 评论 0原文

我这里有一个谜团,我不太明白其根本原因。当尝试从脚本调用取消链接时,我收到“使用 -T 开关运行时取消链接中的不安全依赖关系”。这并不是什么秘密,因为我意识到这意味着 Perl 说我正在尝试使用受污染的数据。神秘的是,这些数据之前在另一个脚本中未被污染,该脚本将其保存到磁盘没有任何问题。

事情是这样的... 第一个脚本使用以下

# For the binary file upload
my $extensioncheck = '';

my $safe_filename_characters = "a-zA-Z0-9_.";
  if ( $item_photo )  
  { 
    # Allowable File Type Check
    my ( $name, $path, $extension ) = fileparse ( $item_photo, '\..*' );
    $extensioncheck = lc($extension);
    if (( $extensioncheck ne ".jpg" ) && ( $extensioncheck ne ".jpeg" ) &&
        ( $extensioncheck ne ".png" ) && ( $extensioncheck ne ".gif" ))
    {
      die "Your photo file is in a prohibited file format.";  
    }

    # Rename file to Ad ID for adphoto directory use and untaint
    $item_photo = join "", $adID, $extensioncheck;
    $item_photo =~ tr/ /_/;  
    $item_photo =~ s/[^$safe_filename_characters]//g;  
    if ( $item_photo =~ /^([$safe_filename_characters]+)$/ ) { $item_photo = $1; }
    else {  die "Filename contains invalid characters"; }  
    }

$adID 创建一个二进制文件名,该文件名是由脚本本身使用 localtime(time) 函数生成的,因此它不应该被污染。在污点检查之前,使用 $adID 和 $extensioncheck 重新分配 $item_photo,因此新的 $item_photo 现在未被污染。我知道这一点是因为 $item_photo 本身在脚本中稍后取消链接本身没有问题。 $item_photo 仅使用足够长的时间来使用 ImageMagick 创建其他三个图像文件,然后使用 unlink 函数将其丢弃。通过 $item_photo 的 ImageMagick 处理创建的三个文件名的创建方式很简单。

$largepicfilename  = $adID . "_large.jpg";
$adpagepicfilename = $adID . "_adpage.jpg";
$thumbnailfilename = $adID . "_thumbnail.jpg";

这些路径被添加到新文件名的前面以创建 URL,并在脚本的顶部定义,因此它们也不会被污染。这些文件的 URL 是这样生成的。

my $adpageURL = join "", $adpages_dir_URL, $adID, '.html';
my $largepicURL  = join "", $adphotos_dir_URL, $largepicfilename;
my $adpagepicURL = join "", $adphotos_dir_URL, $adpagepicfilename;
my $thumbnailURL = join "", $adphotos_dir_URL, $thumbnailfilename;

然后我将它们写入记录,知道一切都没有受到污染。

现在是棘手的部分。在第二个脚本中,我使用取消链接函数读取要删除的这些文件,这就是我获得“不安全依赖”标志的地方。

# Read in the current Ad Records Database
open (ADRECORDS, $adrecords_db) || die("Unable to Read Ad Records Database");
flock(ADRECORDS, LOCK_SH);
seek (ADRECORDS, 0, SEEK_SET);
my @adrecords_data = <ADRECORDS>;
close(ADRECORDS);

# Find the Ad in the Ad Records Database
ADRECORD1:foreach $AdRecord(@adrecords_data)
{
  chomp($AdRecord);
  my($adID_In, $adpageURL_In, $largepicURL_In, $adpagepicURL_In, $thumbnailURL_In)=split(/\|/,$AdRecord);

  if ($flagadAdID ne $adID_In) { $AdRecordArrayNum++; next ADRECORD1 }
  else
  {
    #Delete the Ad Page and Ad Page Images
    unlink ("$adpageURL_In");
    unlink ("$largepicURL_In");
    unlink ("$adpagepicURL_In");
    unlink ("$thumbnailURL_In");
    last ADRECORD1;
  }
}

我知道我可以再次清除它们,甚至通过知道数据是安全的来将它们吹走,但这不是重点。我想要的是首先了解为什么会发生这种情况,因为我不明白这些以前未受污染的数据现在如何被视为受污染的。任何帮助启发我在哪里缺少此连接的帮助都将非常感激,因为我真的想理解这一点,而不是仅仅编写黑客来修复它。

原文

I have a bit of a mystery here that I am not quite understanding the root cause of. I am getting an 'Insecure dependency in unlink while running with -T switch' when trying to invoke unlink from a script. That is not the mystery, as I realize that this means Perl is saying I am trying to use tainted data. The mystery is that this data was previously untainted in another script that saved it to disk without any problems.

Here's how it goes... The first script creates a binary file name using the following

# For the binary file upload
my $extensioncheck = '';

my $safe_filename_characters = "a-zA-Z0-9_.";
  if ( $item_photo )  
  { 
    # Allowable File Type Check
    my ( $name, $path, $extension ) = fileparse ( $item_photo, '\..*' );
    $extensioncheck = lc($extension);
    if (( $extensioncheck ne ".jpg" ) && ( $extensioncheck ne ".jpeg" ) &&
        ( $extensioncheck ne ".png" ) && ( $extensioncheck ne ".gif" ))
    {
      die "Your photo file is in a prohibited file format.";  
    }

    # Rename file to Ad ID for adphoto directory use and untaint
    $item_photo = join "", $adID, $extensioncheck;
    $item_photo =~ tr/ /_/;  
    $item_photo =~ s/[^$safe_filename_characters]//g;  
    if ( $item_photo =~ /^([$safe_filename_characters]+)$/ ) { $item_photo = $1; }
    else {  die "Filename contains invalid characters"; }  
    }

$adID is generated by the script itself using a localtime(time) function, so it should not be tainted. $item_photo is reassigned using $adID and $extensioncheck BEFORE the taint check, so the new $item_photo is now untainted. I know this because $item_photo itself has no problem with unlink itself latter in the script. $item_photo is only used long enough to create three other image files using ImageMagick before it's tossed using the unlink function. The three filenames created from the ImageMagick processing of $item_photo are created simply like so.

$largepicfilename  = $adID . "_large.jpg";
$adpagepicfilename = $adID . "_adpage.jpg";
$thumbnailfilename = $adID . "_thumbnail.jpg";

The paths are prepended to the new filenames to create the URLs, and are defined at the top of the script, so they can't be tainted as well. The URLs for these files are generated like so.

my $adpageURL = join "", $adpages_dir_URL, $adID, '.html';
my $largepicURL  = join "", $adphotos_dir_URL, $largepicfilename;
my $adpagepicURL = join "", $adphotos_dir_URL, $adpagepicfilename;
my $thumbnailURL = join "", $adphotos_dir_URL, $thumbnailfilename;

Then I write them to the record, knowing everything is untainted.

Now comes the screwy part. In a second script I read these files in to be deleted using the unlink function, and this is where I am getting my 'Insecue dependency' flag.

# Read in the current Ad Records Database
open (ADRECORDS, $adrecords_db) || die("Unable to Read Ad Records Database");
flock(ADRECORDS, LOCK_SH);
seek (ADRECORDS, 0, SEEK_SET);
my @adrecords_data = <ADRECORDS>;
close(ADRECORDS);

# Find the Ad in the Ad Records Database
ADRECORD1:foreach $AdRecord(@adrecords_data)
{
  chomp($AdRecord);
  my($adID_In, $adpageURL_In, $largepicURL_In, $adpagepicURL_In, $thumbnailURL_In)=split(/\|/,$AdRecord);

  if ($flagadAdID ne $adID_In) { $AdRecordArrayNum++; next ADRECORD1 }
  else
  {
    #Delete the Ad Page and Ad Page Images
    unlink ("$adpageURL_In");
    unlink ("$largepicURL_In");
    unlink ("$adpagepicURL_In");
    unlink ("$thumbnailURL_In");
    last ADRECORD1;
  }
}

I know I can just untaint them again, or even just blow them on through knowing that the data is safe, but that is not the point. What I want is to understand WHY this is happening in the first place, as I am not understanding how this previously untainted data is now being seen as tainted. Any help to enlighten where I am missing this connection would be truly appreciated, because I really want to understand this rather than just write the hack to fix it.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

小ぇ时光︴ 2024-09-23 11:42:20

将数据保存到文件中不会保存数据中的任何“污染”位。它只是来自外部源的数据,因此当 Perl 读取它时,它会自动受到污染。在第二个脚本中,您必须显式地清除数据。

毕竟,在第二个脚本有机会读取文件之前,某些其他恶意程序可能已经更改了文件中的数据。

Saving data to a file doesn't save any "tainted" bit with the data. It's just data, coming from an external source, so when Perl reads it it becomes automatically tainted. In your second script, you will have to explicitly untaint the data.

After all, some other malicious program could have changed the data in the file before the second script has a chance to read it.

回复 原文
~没有更多了~

关于作者

眼泪淡了忧伤

暂无简介

0 文章
0 评论
1142 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

missyouangeled

文章 0 评论 0

三生一梦

文章 0 评论 0

压抑⊿情绪

文章 0 评论 0

天涯离梦残月幽梦

文章 0 评论 0

指尖微凉心微凉

文章 0 评论 0

☆獨立☆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文