[Petal] Petal 1.10_06 Released

William McKee william at knowmad.com
Fri Oct 10 15:24:57 BST 2003


On Fri, Oct 10, 2003 at 12:03:24PM +0100, Jean-Michel Hiver wrote:
> I have released Petal 1.10_06, with the following changes:
> 
>     - Uncommented TAINT stuff (again!)

Should that be commented?


> William, since it seems that Petal without Petal::Parser::HTB runs fine
> with TAINT mode I have uncommented that stuff - I'll try to address the
> problem in Petal::Parser::HTB later on.

That's fine with me but I hope that you realize you are not addressing
the reason it runs fine. MKDoc::XML is using the REX to extract all data
which in turn uses backreferences and thereby makes Perl no longer
consider the data to be tainted. This untainting is merely a side-effect
of REX, not an intentional cleaning of the data as is intended for taint
to be effective[1].

Now, it could be argued that the pgmmer should be sure to clean the data
before passing it to Petal. However, it seems that the best solution is
to run the code inside a Safe compartment if $Petal::TAINT is enabled.
It's weird that the code being returned by MKDoc::XML fails to run
inside the Safe compartment whereas the code returned by
Petal::Parser::HTB runs fine. That's where I think we should spend our
efforts in fixing taintmode, not in making HTB return untainted code by
running it through a regex that cannot effectively clean the data.

FYI, there are two reasons why I think Perl is seeing taintedness in the
Petal code:
	- the template file is coming from the disk
	- the values being inserted into the template file are coming from
	  outside the code

Until these are cleaned via backreferences, we'll get taint errors. A
quick test though reveals that Petal is also somehow cleaning up
external values although I'm not sure where/why this is happening. The
subroutine listed in perlsec[1] shows the external data to be tainted
before being passed into Petal. Even though these are considered "clean"
by Perl, I cannot imagine that the data has actually been properly
examined.

The reason I'm taking my time and yours to go over this issue, is that I
forsee the potential for template injection attacks, similar to SQL
injection hacks. Whether or not it is likely, it seems like a
possibility. However, I'm not intimately familiar with the internals of
Petal so could be wasting my efforts. Does noone else see this potential
for injection attacks?


> Other than that, this version of Petal should properly decode HTML
> entities if either $Petal::INPUT or $Petal::OUTPUT is set to 'HTML' or
> 'XHTML'.

Can you explain what that means from a practical perspective? Did
someone have a problem with this? Will it change Petal's behavior?


Thanks,
William

[1]
http://www.perldoc.com/perl5.6.1/pod/perlsec.html#Laundering-and-Detecting-Tainted-Data

-- 
Knowmad Services Inc.
http://www.knowmad.com


More information about the Petal mailing list