Skip Menu |
 

This queue is for tickets about the Net-SFTP-Foreign CPAN distribution.

Report information
The Basics
Id: 106559
Status: resolved
Priority: 0/
Queue: Net-SFTP-Foreign

People
Owner: Nobody in particular
Requestors: Julian.Bridle [...] mrhgb.co.uk
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: setcwd fails in taint mode
Date: Thu, 20 Aug 2015 10:04:26 +0000
To: "'bug-Net-SFTP-Foreign [...] rt.cpan.org'" <bug-Net-SFTP-Foreign [...] rt.cpan.org>
From: Julian Bridle <Julian.Bridle [...] mrhgb.co.uk>
Download (untitled) / with headers
text/plain 2.8k
Firstly, thank you for the Net::SFTP:Foreign module. I use it for a communications subsystem transferring files between various third parties using a mixture of protocols and encryption, and have found it very useful alongside Net::FTP and LWP. On porting this system to a new server, I encountered a new problem. I realise something similar has been reported before with an incorrect example, but I'm reasonably experienced with taint mode and I'm pretty sure there is a bug: If I pass a guaranteed untainted variable (a literal value of "/" in this test case) to the setcwd method, it fails with a taint error. $remote->setcwd("/"); The environment where this issue occurs is: debian Jessie 8.1 perl 5.20.2 Net::SFTP::Foreign 1.77 (standard Jessie package libnet-sftp-foreign-perl) My old environment does NOT exhibit the problem with the same test script: debian squeeze 6.0.4 perl 5.10.1 Net::SFTP::Foreign 1.57 (standard squeeze package libnet-sftp-foreign-perl) I attach a test case. To show the error. perl setcwd_test.prl [ unsorted list of files/directories ] perl -T setcwd_test.prl Insecure argument '/' on 'stat' method call while running with -T switch at setcwd_test.prl line 13. Regards, Julian Bridle This e-mail has been sent by a company that is a member of the MRH (GB) Limited group of companies. MRH (GB) Limited is a company registered in England and Wales with the registration number 6360543. The Registered Office is Vincent House, 4 Grove Lane, Epping, Essex, CM16 4LH. Tel: +44 (0)1992 571937, Fax: +44 (0)1992 571950. The VAT Registration Number is: 718 6378 04. Different VAT numbers are in use by some of the other companies within the MRH (GB) Limited group. Confidentiality: This e-mail and its attachments are confidential, may be legally privileged and are intended solely for the above named addressee(s). However, in certain circumstances the contents of this e-mail may have to be disclosed in response to a request pursuant to the Data Protection Act. If you have received this e-mail in error you must take no action based on it or its attachments, nor must you copy or show them to anyone. You must notify the sender immediately and then delete the e-mail and any attachments. Security: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. E-mails are susceptible to interference. If you are in any doubt about the origins of this e-mail or whether its original content has been accurately reproduced, please verify its authenticity with the sender. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although reasonable steps have been taken to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure that they are actually virus free.
Download setcwd_test.prl
application/octet-stream 806b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 3.5k
The error comes from setcwd from the following line(s): my $a = $sftp->stat($cwd) or return undef; $cwd is tainted, it comes from $cwd = $sftp->realpath($cwd); realpath is defined as follows: *realpath = _gen_getpath_method(SSH2_FXP_REALPATH, SFTP_ERR_REMOTE_REALPATH_FAILED, "realpath"); In the sub returned from _gen_getpath_method, the path is created as return $sftp->_fs_decode($msg->get_str); I'm not sure which part is the correct one for untainting. Ch. On Thu Aug 20 06:04:55 2015, Julian.Bridle@mrhgb.co.uk wrote: Show quoted text
> Firstly, thank you for the Net::SFTP:Foreign module. I use it for a > communications subsystem transferring files between various third > parties using a mixture of protocols and encryption, and have found it > very useful alongside Net::FTP and LWP. On porting this system to a > new server, I encountered a new problem. I realise something similar > has been reported before with an incorrect example, but I'm reasonably > experienced with taint mode and I'm pretty sure there is a bug: > > If I pass a guaranteed untainted variable (a literal value of "/" in > this test case) to the setcwd method, it fails with a taint error. > > $remote->setcwd("/"); > > The environment where this issue occurs is: > > debian Jessie 8.1 > perl 5.20.2 > Net::SFTP::Foreign 1.77 (standard Jessie package libnet-sftp-foreign- > perl) > > My old environment does NOT exhibit the problem with the same test > script: > > debian squeeze 6.0.4 > perl 5.10.1 > Net::SFTP::Foreign 1.57 (standard squeeze package libnet-sftp- > foreign-perl) > > I attach a test case. To show the error. > > perl setcwd_test.prl > [ unsorted list of files/directories ] > > perl -T setcwd_test.prl > Insecure argument '/' on 'stat' method call while running with -T > switch at setcwd_test.prl line 13. > > Regards, > > Julian Bridle > > This e-mail has been sent by a company that is a member of the MRH > (GB) Limited group of companies. MRH (GB) Limited is a company > registered in England and Wales with the registration number 6360543. > The Registered Office is Vincent House, 4 Grove Lane, Epping, Essex, > CM16 4LH. Tel: +44 (0)1992 571937, Fax: +44 (0)1992 571950. The VAT > Registration Number is: 718 6378 04. Different VAT numbers are in use > by some of the other companies within the MRH (GB) Limited group. > Confidentiality: This e-mail and its attachments are confidential, may > be legally privileged and are intended solely for the above named > addressee(s). However, in certain circumstances the contents of this > e-mail may have to be disclosed in response to a request pursuant to > the Data Protection Act. If you have received this e-mail in error you > must take no action based on it or its attachments, nor must you copy > or show them to anyone. You must notify the sender immediately and > then delete the e-mail and any attachments. Security: Please note that > this e-mail has been created in the knowledge that Internet e-mail is > not a 100% secure communications medium. E-mails are susceptible to > interference. If you are in any doubt about the origins of this e-mail > or whether its original content has been accurately reproduced, please > verify its authenticity with the sender. We advise that you understand > and observe this lack of security when e-mailing us. Viruses: Although > reasonable steps have been taken to ensure that this e-mail and its > attachments are free from any virus, we advise that in keeping with > good computing practice the recipient should ensure that they are > actually virus free.
Subject: Re: [rt.cpan.org #106559] setcwd fails in taint mode
Date: Tue, 6 Oct 2015 12:34:09 +0000 (UTC)
To: "bug-Net-SFTP-Foreign [...] rt.cpan.org" <bug-Net-SFTP-Foreign [...] rt.cpan.org>
From: Salvador Fandino <sfandino [...] yahoo.com>
Download (untitled) / with headers
text/plain 1.3k
Show quoted text
----- Original Message -----
> From: E. Choroba via RT <bug-Net-SFTP-Foreign@rt.cpan.org> > To: > Cc: > Sent: Sunday, October 4, 2015 9:54 PM > Subject: [rt.cpan.org #106559] setcwd fails in taint mode > > Queue: Net-SFTP-Foreign > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=106559 > > > The error comes from setcwd from the following line(s): > > my $a = $sftp->stat($cwd) > or return undef; > > $cwd is tainted, it comes from > > $cwd = $sftp->realpath($cwd); > > realpath is defined as follows: > > *realpath = _gen_getpath_method(SSH2_FXP_REALPATH, > SFTP_ERR_REMOTE_REALPATH_FAILED, > "realpath"); > > In the sub returned from _gen_getpath_method, the path is created as > > return $sftp->_fs_decode($msg->get_str); >
> I'm not sure which part is the correct one for untainting.
That is a tricky matter as the data coming from the SFTP connection should be left marked as tainted. For now, it is just untainting the realpath coming from the remote host explicitly inside setcwd. A new developing version of the module with that fix is available: https://metacpan.org/release/SALVA/Net-SFTP-Foreign-1.78_07 Anyway, other high level methods would probably have similar issues. Don't hesitate to report them if you find any. Thank you!
Subject: RE: [rt.cpan.org #106559] setcwd fails in taint mode
Date: Thu, 8 Oct 2015 10:25:21 +0000
To: "'bug-Net-SFTP-Foreign [...] rt.cpan.org'" <bug-Net-SFTP-Foreign [...] rt.cpan.org>
From: Julian Bridle <Julian.Bridle [...] mrhgb.co.uk>
Download (untitled) / with headers
text/plain 3.3k
Thanks for that - I'll give it a try. Julian Show quoted text
-----Original Message----- From: Salvador \"Fandiño\" via RT [mailto:bug-Net-SFTP-Foreign@rt.cpan.org] Sent: 06 October 2015 13:34 To: Julian Bridle Subject: Re: [rt.cpan.org #106559] setcwd fails in taint mode <URL: https://rt.cpan.org/Ticket/Display.html?id=106559 >
----- Original Message -----
> From: E. Choroba via RT <bug-Net-SFTP-Foreign@rt.cpan.org> > To: > Cc: > Sent: Sunday, October 4, 2015 9:54 PM > Subject: [rt.cpan.org #106559] setcwd fails in taint mode > > Queue: Net-SFTP-Foreign > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=106559 > > > The error comes from setcwd from the following line(s): > > my $a = $sftp->stat($cwd) > or return undef; > > $cwd is tainted, it comes from > > $cwd = $sftp->realpath($cwd); > > realpath is defined as follows: > > *realpath = _gen_getpath_method(SSH2_FXP_REALPATH, > SFTP_ERR_REMOTE_REALPATH_FAILED, > "realpath"); > > In the sub returned from _gen_getpath_method, the path is created as > > return $sftp->_fs_decode($msg->get_str); >
> I'm not sure which part is the correct one for untainting.
That is a tricky matter as the data coming from the SFTP connection should be left marked as tainted. For now, it is just untainting the realpath coming from the remote host explicitly inside setcwd. A new developing version of the module with that fix is available: https://metacpan.org/release/SALVA/Net-SFTP-Foreign-1.78_07 Anyway, other high level methods would probably have similar issues. Don't hesitate to report them if you find any. Thank you! This e-mail has been sent by a company that is a member of the MRH (GB) Limited group of companies. MRH (GB) Limited is a company registered in England and Wales with the registration number 6360543. The Registered Office is Vincent House, 4 Grove Lane, Epping, Essex, CM16 4LH. Tel: +44 (0)1992 571937, Fax: +44 (0)1992 571950. The VAT Registration Number is: 718 6378 04. Different VAT numbers are in use by some of the other companies within the MRH (GB) Limited group. Confidentiality: This e-mail and its attachments are confidential, may be legally privileged and are intended solely for the above named addressee(s). However, in certain circumstances the contents of this e-mail may have to be disclosed in response to a request pursuant to the Data Protection Act. If you have received this e-mail in error you must take no action based on it or its attachments, nor must you copy or show them to anyone. You must notify the sender immediately and then delete the e-mail and any attachments. Security: Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. E-mails are susceptible to interference. If you are in any doubt about the origins of this e-mail or whether its original content has been accurately reproduced, please verify its authenticity with the sender. We advise that you understand and observe this lack of security when e-mailing us. Viruses: Although reasonable steps have been taken to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure that they are actually virus free.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.