1=head1 NAME 2 3perlsec - Perl security 4 5=head1 DESCRIPTION 6 7Perl is designed to make it easy to program securely even when running 8with extra privileges, like setuid or setgid programs. Unlike most 9command line shells, which are based on multiple substitution passes on 10each line of the script, Perl uses a more conventional evaluation scheme 11with fewer hidden snags. Additionally, because the language has more 12builtin functionality, it can rely less upon external (and possibly 13untrustworthy) programs to accomplish its purposes. 14 15=head1 SECURITY VULNERABILITY CONTACT INFORMATION 16 17If you believe you have found a security vulnerability in Perl, please email 18perl5-security-report@perl.org with details. This points to a closed 19subscription, unarchived mailing list. Please only use this address for 20security issues in the Perl core, not for modules independently distributed on 21CPAN. 22 23=head1 SECURITY MECHANISMS AND CONCERNS 24 25=head2 Taint mode 26 27Perl automatically enables a set of special security checks, called I<taint 28mode>, when it detects its program running with differing real and effective 29user or group IDs. The setuid bit in Unix permissions is mode 04000, the 30setgid bit mode 02000; either or both may be set. You can also enable taint 31mode explicitly by using the B<-T> command line flag. This flag is 32I<strongly> suggested for server programs and any program run on behalf of 33someone else, such as a CGI script. Once taint mode is on, it's on for 34the remainder of your script. 35 36While in this mode, Perl takes special precautions called I<taint 37checks> to prevent both obvious and subtle traps. Some of these checks 38are reasonably simple, such as verifying that path directories aren't 39writable by others; careful programmers have always used checks like 40these. Other checks, however, are best supported by the language itself, 41and it is these checks especially that contribute to making a set-id Perl 42program more secure than the corresponding C program. 43 44You may not use data derived from outside your program to affect 45something else outside your program--at least, not by accident. All 46command line arguments, environment variables, locale information (see 47L<perllocale>), results of certain system calls (C<readdir()>, 48C<readlink()>, the variable of C<shmread()>, the messages returned by 49C<msgrcv()>, the password, gcos and shell fields returned by the 50C<getpwxxx()> calls), and all file input are marked as "tainted". 51Tainted data may not be used directly or indirectly in any command 52that invokes a sub-shell, nor in any command that modifies files, 53directories, or processes, B<with the following exceptions>: 54 55=over 4 56 57=item * 58 59Arguments to C<print> and C<syswrite> are B<not> checked for taintedness. 60 61=item * 62 63Symbolic methods 64 65 $obj->$method(@args); 66 67and symbolic sub references 68 69 &{$foo}(@args); 70 $foo->(@args); 71 72are not checked for taintedness. This requires extra carefulness 73unless you want external data to affect your control flow. Unless 74you carefully limit what these symbolic values are, people are able 75to call functions B<outside> your Perl code, such as POSIX::system, 76in which case they are able to run arbitrary external code. 77 78=item * 79 80Hash keys are B<never> tainted. 81 82=back 83 84For efficiency reasons, Perl takes a conservative view of 85whether data is tainted. If an expression contains tainted data, 86any subexpression may be considered tainted, even if the value 87of the subexpression is not itself affected by the tainted data. 88 89Because taintedness is associated with each scalar value, some 90elements of an array or hash can be tainted and others not. 91The keys of a hash are B<never> tainted. 92 93For example: 94 95 $arg = shift; # $arg is tainted 96 $hid = $arg . 'bar'; # $hid is also tainted 97 $line = <>; # Tainted 98 $line = <STDIN>; # Also tainted 99 open FOO, "/home/me/bar" or die $!; 100 $line = <FOO>; # Still tainted 101 $path = $ENV{'PATH'}; # Tainted, but see below 102 $data = 'abc'; # Not tainted 103 104 system "echo $arg"; # Insecure 105 system "/bin/echo", $arg; # Considered insecure 106 # (Perl doesn't know about /bin/echo) 107 system "echo $hid"; # Insecure 108 system "echo $data"; # Insecure until PATH set 109 110 $path = $ENV{'PATH'}; # $path now tainted 111 112 $ENV{'PATH'} = '/bin:/usr/bin'; 113 delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; 114 115 $path = $ENV{'PATH'}; # $path now NOT tainted 116 system "echo $data"; # Is secure now! 117 118 open(FOO, "< $arg"); # OK - read-only file 119 open(FOO, "> $arg"); # Not OK - trying to write 120 121 open(FOO,"echo $arg|"); # Not OK 122 open(FOO,"-|") 123 or exec 'echo', $arg; # Also not OK 124 125 $shout = `echo $arg`; # Insecure, $shout now tainted 126 127 unlink $data, $arg; # Insecure 128 umask $arg; # Insecure 129 130 exec "echo $arg"; # Insecure 131 exec "echo", $arg; # Insecure 132 exec "sh", '-c', $arg; # Very insecure! 133 134 @files = <*.c>; # insecure (uses readdir() or similar) 135 @files = glob('*.c'); # insecure (uses readdir() or similar) 136 137 # In either case, the results of glob are tainted, since the list of 138 # filenames comes from outside of the program. 139 140 $bad = ($arg, 23); # $bad will be tainted 141 $arg, `true`; # Insecure (although it isn't really) 142 143If you try to do something insecure, you will get a fatal error saying 144something like "Insecure dependency" or "Insecure $ENV{PATH}". 145 146The exception to the principle of "one tainted value taints the whole 147expression" is with the ternary conditional operator C<?:>. Since code 148with a ternary conditional 149 150 $result = $tainted_value ? "Untainted" : "Also untainted"; 151 152is effectively 153 154 if ( $tainted_value ) { 155 $result = "Untainted"; 156 } else { 157 $result = "Also untainted"; 158 } 159 160it doesn't make sense for C<$result> to be tainted. 161 162=head2 Laundering and Detecting Tainted Data 163 164To test whether a variable contains tainted data, and whose use would 165thus trigger an "Insecure dependency" message, you can use the 166C<tainted()> function of the Scalar::Util module, available in your 167nearby CPAN mirror, and included in Perl starting from the release 5.8.0. 168Or you may be able to use the following C<is_tainted()> function. 169 170 sub is_tainted { 171 local $@; # Don't pollute caller's value. 172 return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; 173 } 174 175This function makes use of the fact that the presence of tainted data 176anywhere within an expression renders the entire expression tainted. It 177would be inefficient for every operator to test every argument for 178taintedness. Instead, the slightly more efficient and conservative 179approach is used that if any tainted value has been accessed within the 180same expression, the whole expression is considered tainted. 181 182But testing for taintedness gets you only so far. Sometimes you have just 183to clear your data's taintedness. Values may be untainted by using them 184as keys in a hash; otherwise the only way to bypass the tainting 185mechanism is by referencing subpatterns from a regular expression match. 186Perl presumes that if you reference a substring using $1, $2, etc. in a 187non-tainting pattern, that 188you knew what you were doing when you wrote that pattern. That means using 189a bit of thought--don't just blindly untaint anything, or you defeat the 190entire mechanism. It's better to verify that the variable has only good 191characters (for certain values of "good") rather than checking whether it 192has any bad characters. That's because it's far too easy to miss bad 193characters that you never thought of. 194 195Here's a test to make sure that the data contains nothing but "word" 196characters (alphabetics, numerics, and underscores), a hyphen, an at sign, 197or a dot. 198 199 if ($data =~ /^([-\@\w.]+)$/) { 200 $data = $1; # $data now untainted 201 } else { 202 die "Bad data in '$data'"; # log this somewhere 203 } 204 205This is fairly secure because C</\w+/> doesn't normally match shell 206metacharacters, nor are dot, dash, or at going to mean something special 207to the shell. Use of C</.+/> would have been insecure in theory because 208it lets everything through, but Perl doesn't check for that. The lesson 209is that when untainting, you must be exceedingly careful with your patterns. 210Laundering data using regular expression is the I<only> mechanism for 211untainting dirty data, unless you use the strategy detailed below to fork 212a child of lesser privilege. 213 214The example does not untaint C<$data> if C<use locale> is in effect, 215because the characters matched by C<\w> are determined by the locale. 216Perl considers that locale definitions are untrustworthy because they 217contain data from outside the program. If you are writing a 218locale-aware program, and want to launder data with a regular expression 219containing C<\w>, put C<no locale> ahead of the expression in the same 220block. See L<perllocale/SECURITY> for further discussion and examples. 221 222=head2 Switches On the "#!" Line 223 224When you make a script executable, in order to make it usable as a 225command, the system will pass switches to perl from the script's #! 226line. Perl checks that any command line switches given to a setuid 227(or setgid) script actually match the ones set on the #! line. Some 228Unix and Unix-like environments impose a one-switch limit on the #! 229line, so you may need to use something like C<-wU> instead of C<-w -U> 230under such systems. (This issue should arise only in Unix or 231Unix-like environments that support #! and setuid or setgid scripts.) 232 233=head2 Taint mode and @INC 234 235When the taint mode (C<-T>) is in effect, the "." directory is removed 236from C<@INC>, and the environment variables C<PERL5LIB> and C<PERLLIB> 237are ignored by Perl. You can still adjust C<@INC> from outside the 238program by using the C<-I> command line option as explained in 239L<perlrun>. The two environment variables are ignored because 240they are obscured, and a user running a program could be unaware that 241they are set, whereas the C<-I> option is clearly visible and 242therefore permitted. 243 244Another way to modify C<@INC> without modifying the program, is to use 245the C<lib> pragma, e.g.: 246 247 perl -Mlib=/foo program 248 249The benefit of using C<-Mlib=/foo> over C<-I/foo>, is that the former 250will automagically remove any duplicated directories, while the latter 251will not. 252 253Note that if a tainted string is added to C<@INC>, the following 254problem will be reported: 255 256 Insecure dependency in require while running with -T switch 257 258=head2 Cleaning Up Your Path 259 260For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to 261a known value, and each directory in the path must be absolute and 262non-writable by others than its owner and group. You may be surprised to 263get this message even if the pathname to your executable is fully 264qualified. This is I<not> generated because you didn't supply a full path 265to the program; instead, it's generated because you never set your PATH 266environment variable, or you didn't set it to something that was safe. 267Because Perl can't guarantee that the executable in question isn't itself 268going to turn around and execute some other program that is dependent on 269your PATH, it makes sure you set the PATH. 270 271The PATH isn't the only environment variable which can cause problems. 272Because some shells may use the variables IFS, CDPATH, ENV, and 273BASH_ENV, Perl checks that those are either empty or untainted when 274starting subprocesses. You may wish to add something like this to your 275setid and taint-checking scripts. 276 277 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer 278 279It's also possible to get into trouble with other operations that don't 280care whether they use tainted values. Make judicious use of the file 281tests in dealing with any user-supplied filenames. When possible, do 282opens and such B<after> properly dropping any special user (or group!) 283privileges. Perl doesn't prevent you from 284opening tainted filenames for reading, 285so be careful what you print out. The tainting mechanism is intended to 286prevent stupid mistakes, not to remove the need for thought. 287 288Perl does not call the shell to expand wild cards when you pass C<system> 289and C<exec> explicit parameter lists instead of strings with possible shell 290wildcards in them. Unfortunately, the C<open>, C<glob>, and 291backtick functions provide no such alternate calling convention, so more 292subterfuge will be required. 293 294Perl provides a reasonably safe way to open a file or pipe from a setuid 295or setgid program: just create a child process with reduced privilege who 296does the dirty work for you. First, fork a child using the special 297C<open> syntax that connects the parent and child by a pipe. Now the 298child resets its ID set and any other per-process attributes, like 299environment variables, umasks, current working directories, back to the 300originals or known safe values. Then the child process, which no longer 301has any special permissions, does the C<open> or other system call. 302Finally, the child passes the data it managed to access back to the 303parent. Because the file or pipe was opened in the child while running 304under less privilege than the parent, it's not apt to be tricked into 305doing something it shouldn't. 306 307Here's a way to do backticks reasonably safely. Notice how the C<exec> is 308not called with a string that the shell could expand. This is by far the 309best way to call something that might be subjected to shell escapes: just 310never call the shell at all. 311 312 use English; 313 die "Can't fork: $!" unless defined($pid = open(KID, "-|")); 314 if ($pid) { # parent 315 while (<KID>) { 316 # do something 317 } 318 close KID; 319 } else { 320 my @temp = ($EUID, $EGID); 321 my $orig_uid = $UID; 322 my $orig_gid = $GID; 323 $EUID = $UID; 324 $EGID = $GID; 325 # Drop privileges 326 $UID = $orig_uid; 327 $GID = $orig_gid; 328 # Make sure privs are really gone 329 ($EUID, $EGID) = @temp; 330 die "Can't drop privileges" 331 unless $UID == $EUID && $GID eq $EGID; 332 $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH. 333 # Consider sanitizing the environment even more. 334 exec 'myprog', 'arg1', 'arg2' 335 or die "can't exec myprog: $!"; 336 } 337 338A similar strategy would work for wildcard expansion via C<glob>, although 339you can use C<readdir> instead. 340 341Taint checking is most useful when although you trust yourself not to have 342written a program to give away the farm, you don't necessarily trust those 343who end up using it not to try to trick it into doing something bad. This 344is the kind of security checking that's useful for set-id programs and 345programs launched on someone else's behalf, like CGI programs. 346 347This is quite different, however, from not even trusting the writer of the 348code not to try to do something evil. That's the kind of trust needed 349when someone hands you a program you've never seen before and says, "Here, 350run this." For that kind of safety, you might want to check out the Safe 351module, included standard in the Perl distribution. This module allows the 352programmer to set up special compartments in which all system operations 353are trapped and namespace access is carefully controlled. Safe should 354not be considered bullet-proof, though: it will not prevent the foreign 355code to set up infinite loops, allocate gigabytes of memory, or even 356abusing perl bugs to make the host interpreter crash or behave in 357unpredictable ways. In any case it's better avoided completely if you're 358really concerned about security. 359 360=head2 Security Bugs 361 362Beyond the obvious problems that stem from giving special privileges to 363systems as flexible as scripts, on many versions of Unix, set-id scripts 364are inherently insecure right from the start. The problem is a race 365condition in the kernel. Between the time the kernel opens the file to 366see which interpreter to run and when the (now-set-id) interpreter turns 367around and reopens the file to interpret it, the file in question may have 368changed, especially if you have symbolic links on your system. 369 370Fortunately, sometimes this kernel "feature" can be disabled. 371Unfortunately, there are two ways to disable it. The system can simply 372outlaw scripts with any set-id bit set, which doesn't help much. 373Alternately, it can simply ignore the set-id bits on scripts. 374 375However, if the kernel set-id script feature isn't disabled, Perl will 376complain loudly that your set-id script is insecure. You'll need to 377either disable the kernel set-id script feature, or put a C wrapper around 378the script. A C wrapper is just a compiled program that does nothing 379except call your Perl program. Compiled programs are not subject to the 380kernel bug that plagues set-id scripts. Here's a simple wrapper, written 381in C: 382 383 #define REAL_PATH "/path/to/script" 384 main(ac, av) 385 char **av; 386 { 387 execv(REAL_PATH, av); 388 } 389 390Compile this wrapper into a binary executable and then make I<it> rather 391than your script setuid or setgid. 392 393In recent years, vendors have begun to supply systems free of this 394inherent security bug. On such systems, when the kernel passes the name 395of the set-id script to open to the interpreter, rather than using a 396pathname subject to meddling, it instead passes I</dev/fd/3>. This is a 397special file already opened on the script, so that there can be no race 398condition for evil scripts to exploit. On these systems, Perl should be 399compiled with C<-DSETUID_SCRIPTS_ARE_SECURE_NOW>. The F<Configure> 400program that builds Perl tries to figure this out for itself, so you 401should never have to specify this yourself. Most modern releases of 402SysVr4 and BSD 4.4 use this approach to avoid the kernel race condition. 403 404=head2 Protecting Your Programs 405 406There are a number of ways to hide the source to your Perl programs, 407with varying levels of "security". 408 409First of all, however, you I<can't> take away read permission, because 410the source code has to be readable in order to be compiled and 411interpreted. (That doesn't mean that a CGI script's source is 412readable by people on the web, though.) So you have to leave the 413permissions at the socially friendly 0755 level. This lets 414people on your local system only see your source. 415 416Some people mistakenly regard this as a security problem. If your program does 417insecure things, and relies on people not knowing how to exploit those 418insecurities, it is not secure. It is often possible for someone to 419determine the insecure things and exploit them without viewing the 420source. Security through obscurity, the name for hiding your bugs 421instead of fixing them, is little security indeed. 422 423You can try using encryption via source filters (Filter::* from CPAN, 424or Filter::Util::Call and Filter::Simple since Perl 5.8). 425But crackers might be able to decrypt it. You can try using the byte 426code compiler and interpreter described below, but crackers might be 427able to de-compile it. You can try using the native-code compiler 428described below, but crackers might be able to disassemble it. These 429pose varying degrees of difficulty to people wanting to get at your 430code, but none can definitively conceal it (this is true of every 431language, not just Perl). 432 433If you're concerned about people profiting from your code, then the 434bottom line is that nothing but a restrictive license will give you 435legal security. License your software and pepper it with threatening 436statements like "This is unpublished proprietary software of XYZ Corp. 437Your access to it does not give you permission to use it blah blah 438blah." You should see a lawyer to be sure your license's wording will 439stand up in court. 440 441=head2 Unicode 442 443Unicode is a new and complex technology and one may easily overlook 444certain security pitfalls. See L<perluniintro> for an overview and 445L<perlunicode> for details, and L<perlunicode/"Security Implications 446of Unicode"> for security implications in particular. 447 448=head2 Algorithmic Complexity Attacks 449 450Certain internal algorithms used in the implementation of Perl can 451be attacked by choosing the input carefully to consume large amounts 452of either time or space or both. This can lead into the so-called 453I<Denial of Service> (DoS) attacks. 454 455=over 4 456 457=item * 458 459Hash Algorithm - Hash algorithms like the one used in Perl are well 460known to be vulnerable to collision attacks on their hash function. 461Such attacks involve constructing a set of keys which collide into 462the same bucket producing inefficient behavior. Such attacks often 463depend on discovering the seed of the hash function used to map the 464keys to buckets. That seed is then used to brute-force a key set which 465can be used to mount a denial of service attack. In Perl 5.8.1 changes 466were introduced to harden Perl to such attacks, and then later in 467Perl 5.18.0 these features were enhanced and additional protections 468added. 469 470At the time of this writing, Perl 5.18.0 is considered to be 471well-hardened against algorithmic complexity attacks on its hash 472implementation. This is largely owed to the following measures 473mitigate attacks: 474 475=over 4 476 477=item Hash Seed Randomization 478 479In order to make it impossible to know what seed to generate an attack 480key set for, this seed is randomly initialized at process start. This 481may be overridden by using the PERL_HASH_SEED environment variable, see 482L<perlrun/PERL_HASH_SEED>. This environment variable controls how 483items are actually stored, not how they are presented via 484C<keys>, C<values> and C<each>. 485 486=item Hash Traversal Randomization 487 488Independent of which seed is used in the hash function, C<keys>, 489C<values>, and C<each> return items in a per-hash randomized order. 490Modifying a hash by insertion will change the iteration order of that hash. 491This behavior can be overridden by using C<hash_traversal_mask()> from 492L<Hash::Util> or by using the PERL_PERTURB_KEYS environment variable, 493see L<perlrun/PERL_PERTURB_KEYS>. Note that this feature controls the 494"visible" order of the keys, and not the actual order they are stored in. 495 496=item Bucket Order Perturbance 497 498When items collide into a given hash bucket the order they are stored in 499the chain is no longer predictable in Perl 5.18. This 500has the intention to make it harder to observe a 501collision. This behavior can be overridden by using 502the PERL_PERTURB_KEYS environment variable, see L<perlrun/PERL_PERTURB_KEYS>. 503 504=item New Default Hash Function 505 506The default hash function has been modified with the intention of making 507it harder to infer the hash seed. 508 509=item Alternative Hash Functions 510 511The source code includes multiple hash algorithms to choose from. While we 512believe that the default perl hash is robust to attack, we have included the 513hash function Siphash as a fall-back option. At the time of release of 514Perl 5.18.0 Siphash is believed to be of cryptographic strength. This is 515not the default as it is much slower than the default hash. 516 517=back 518 519Without compiling a special Perl, there is no way to get the exact same 520behavior of any versions prior to Perl 5.18.0. The closest one can get 521is by setting PERL_PERTURB_KEYS to 0 and setting the PERL_HASH_SEED 522to a known value. We do not advise those settings for production use 523due to the above security considerations. 524 525B<Perl has never guaranteed any ordering of the hash keys>, and 526the ordering has already changed several times during the lifetime of 527Perl 5. Also, the ordering of hash keys has always been, and continues 528to be, affected by the insertion order and the history of changes made 529to the hash over its lifetime. 530 531Also note that while the order of the hash elements might be 532randomized, this "pseudo-ordering" should B<not> be used for 533applications like shuffling a list randomly (use C<List::Util::shuffle()> 534for that, see L<List::Util>, a standard core module since Perl 5.8.0; 535or the CPAN module C<Algorithm::Numerical::Shuffle>), or for generating 536permutations (use e.g. the CPAN modules C<Algorithm::Permute> or 537C<Algorithm::FastPermute>), or for any cryptographic applications. 538 539Tied hashes may have their own ordering and algorithmic complexity 540attacks. 541 542=item * 543 544Regular expressions - Perl's regular expression engine is so called NFA 545(Non-deterministic Finite Automaton), which among other things means that 546it can rather easily consume large amounts of both time and space if the 547regular expression may match in several ways. Careful crafting of the 548regular expressions can help but quite often there really isn't much 549one can do (the book "Mastering Regular Expressions" is required 550reading, see L<perlfaq2>). Running out of space manifests itself by 551Perl running out of memory. 552 553=item * 554 555Sorting - the quicksort algorithm used in Perls before 5.8.0 to 556implement the sort() function is very easy to trick into misbehaving 557so that it consumes a lot of time. Starting from Perl 5.8.0 a different 558sorting algorithm, mergesort, is used by default. Mergesort cannot 559misbehave on any input. 560 561=back 562 563See L<http://www.cs.rice.edu/~scrosby/hash/> for more information, 564and any computer science textbook on algorithmic complexity. 565 566=head1 SEE ALSO 567 568L<perlrun> for its description of cleaning up environment variables. 569