如何清除 CGI.pm 中的系统调用
我有以下 CGI 脚本:
#!/usr/bin/perl -T
use strict;
use warnings;
use CGI::Carp qw(fatalsToBrowser);
use CGI qw/:standard/;
my $query = CGI->new();
my $searchterm = param('name');
my $file = "justafile.txt";
# Begin searching terms and ignoring case
my @entries = `grep -i \"$searchterm\" $file`; # Line10
chomp @entries;
# Do something
当我执行该命令时,它会给我这个
Insecure dependency in `` while running with -T switch at /foo/cgi-bin/mycode.cgi line 10.
How line 10 can be fix?
I have the following CGI script:
#!/usr/bin/perl -T
use strict;
use warnings;
use CGI::Carp qw(fatalsToBrowser);
use CGI qw/:standard/;
my $query = CGI->new();
my $searchterm = param('name');
my $file = "justafile.txt";
# Begin searching terms and ignoring case
my @entries = `grep -i \"$searchterm\" $file`; # Line10
chomp @entries;
# Do something
When I execute the command it gives me this
Insecure dependency in `` while running with -T switch at /foo/cgi-bin/mycode.cgi line 10.
How line 10 can be fixed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
污染的全部目的是确保未经检查的输入不能提供给潜在不安全的函数。
在这种情况下,您的
$searchterm变量可能包含意外输入,这些输入可能允许攻击者在您的系统上执行任意程序。因此,您需要:
untaint 通过确保变量与预先确定的正则表达式匹配(请参阅@flesk的答案),此时 Perl 假设您知道自己在做什么,或者
不要使用反引号(根据@eugene y的答案)。
如果您使用反引号,您还应该指定
grep命令的完整路径,这样您就不会依赖于$PATH。The whole point of tainting is to ensure that unchecked input cannot be supplied to potentially unsafe functions.
In this case, your
$searchtermvariable might contain unexpected input that might allow an attacker to execute arbitrary programs on your system.Hence, you either need to:
untaint the variable by ensuring that it matches a pre-determined regexp (see @flesk's answer), at which point Perl assumes that you know what you're doing, or
don't use backticks (per @eugene y's answer).
If you're using backticks you should also specify the full path to the
grepcommand so that you're not depending on$PATH.使用内置的
grep函数,例如:Use the built-in
grepfunction, e.g.:我认为这里的问题是反引号运算符正在 perl 环境之外有效地执行代码,因此完全不可信,即。被污染了。
当然,您可以尝试在有问题的行之前执行类似的操作:
您可能仍然会从这一行收到错误:
要解决此问题,您可能只需给它一个绝对路径,例如:
您几乎肯定必须给您也使用反引号运算符执行的 grep 命令的绝对路径,因为清除环境变量将丢失路径。换句话说,
您可能还想在清除 $ENV 的值之前复制它,以防万一您以后需要它......
希望其中一些有所帮助!
I think the problem here is that the backtick operator is effectively executing code outside of the perl environment, and is therefore quite rightly not trusted, ie. tainted.
You could, of course, try doing something like this before the offending line:
You will probably still get an error from this line:
To fix that, you could probably just give it an absolute path, eg:
You would almost certainly have to give an absolute path to the grep command you are executing with the backtick operator too, as clearing the environment variables will loose the path. In other words do:
You might also want to copy the value of
$ENVbefore you clear it, just in case you need it later...Hope some of this helps!
-T开关仅警告您可能存在污染的输入:http: //perldoc.perl.org/perlsec.html#Taint-mode你需要自己去污染它,例如使用
这不是一个非常复杂的测试,而且可能也不太安全,除非你完全控制什么
\w匹配。编辑:更改了我的最小解决方案以反映下面评论中给出的信息。
The
-Tswitch only warns you about possible tainted input: http://perldoc.perl.org/perlsec.html#Taint-modeYou need to untaint it yourself, for example using
That's not a very sophisticated test though, and possibly not too safe either, unless you have complete control over what
\wmatches.EDIT: Changed my minimal solution to reflect the info given in the comments below.