Category Archives: Secure Programming Techniques

Perl v5.26 removes . from @INC, but don’t think you’re safe!

Perl’s @INC might find code that you don’t want. That array is list of directories that use, require, and do search to find modules and libraries. By default, the last entry has been ., which represents the current working directory. That’s not a real directory; it’s a pointer to a directory you’ll discover later. There’s a fix for one consequence of this problem, but there are still issues of trust. That’s security—there are always more problems.

Locks

“Locks”, by Chilanga Cement on Flickr.

Read more »

More fun with the diamond operator

In The double diamond, a more secure <>, I showed how the diamond operator treated some characters as special when it tried to open the filenames in @ARGV. I used a file name that ended with a | to read the output for an external command.

Thinking about it more, I realized the problem is even worse. Opening an external command to read the output might even be useful. What if I start the filename with > to open a file for writing, but not only writing, to truncate it to? Read more »

The double diamond, a more secure <>

We’ve had the three argument open since Perl 5.6. This allows us to separate the way we want to interact with the file from the filename. There’s a place where we don’t get to choose, but Perl 5.22 might introduce a new operator to handle that. Read more »

The Data::Dumper stack smash (fixed)

Problems with data serializers was a major change to Mastering Perl. The Storable issue with malformed inputs was known for a long time but nobody much cared about it. Now it’s Data::Dumper‘s turn. Read more »

New in “Secure Programming Techniques”

This chapter contains most of the original text, although with a few tweaks. There are two big additions which I did not cover in the first edition of this book.

I added a section on security with the DBI module and SQL injection. I don’t really think it belongs in this book any more than any other sort of problem with a CPAN module, but enough people complained that I relented.

And, I added a brief introduction to the Safe module. This is a rarely used security feature that you might find useful if you have to use string eval.

I’ve added some of the sample programs to the downloads page.

You can read the draft chapter now.

The Storable security problem

Recently, people have moved to close, or at least document, a security issue with Storable. This core module serializes and deserializes Perl data structures, and, as in many places in Perl, tries to be more helpful than we really want. In Mastering Perl, I talk about lightweight persistence in Chapter 14; Storable is a big part of that chapter.

There are two major problems. Someone can force Storable to load arbitrary modules, and someone can possibly run unexpected code. Read more »