The eval Construct

The eval statement instructs PERL to execute the contents of a variable as if it were another PERL program. This can be very useful (as LISP programmers will attest) but can also be used to subvert security. Often, eval is used to catch potentially fatal errors so the program can give a meaningful error message or to aid performance by avoiding unnecessary runtime checks.

This can be dangerous! For example, one CGI accepted a PERL regular expression from the user and attempted to verify its syntax by using eval:

eval(“/$regexp/”)

Because eval sets an error flag if the evaluated code is illegal, this would trap an otherwise fatal error. However, because the variable interpolation is done before the code is evaluated, if $regexp contained /; system ‘cat /etc/passwd’; / the evaluation would display the password file. The safe way to achieve the same effect is to remove the double quotes, because they are responsible for the double expansion:

eval { $regexp }

If you find this confusing, stick to the basics—do not enable user-supplied variables to introduce code. If run with taint checks enabled, PERL flags the unsafe eval as insecure unless you intentionally take steps to untaint the variable.

C and C++

C and C++ are not as well suited to CGI programming as PERL but are still widely used when speed is a significant factor or when a PERL interpreter is not available and the undump mechanism is unsatisfactory. And, of course, C or C++ is the preferred language for many programmers.

There are at least two ways to fork a shell in C or C++, and all the same warnings apply:

•  system: system(command_buffer);

•  popen: popen(command_buffer, “w”);

Buffer Overruns

A problem particular to relatively low-level languages like C is that of buffer overruns. All memory must be explicitly managed, and C requires that the programmer ensure there is enough space to perform a given operation. If the programmer fails at this task, something undesirable takes place; at best the program simply crashes. If the operating system uses one stack for both code and data, it is possible to overrun a buffer with code to be executed, then fool the program into executing that code. Even if separate stacks are used, the overrun can overwrite private program data (such as replacing one program to be executed with another). Buffer overruns have been the source of many break-ins over the years; the famous Internet worm of 1988 used this method (among others) to spread to thousands of machines.

A number of standard C functions are prone to introducing overruns. The strcpy function does not allow specification of how many characters to copy; use strncpy or strdup instead. The gets function does not allow specification of how many characters to read; use fgets on stdin instead. It is wise to obtain a good memory management tool to help find any problems before making a CGI available.

Safe Languages

A safe language prohibits executing programs from performing certain dangerous operations. It is actually not the language itself that is safe, but rather the execution environment provided by the interpreter.

Native machine code cannot be rendered safe, because it can communicate with the operating system directly. In recent times this concept has received a lot of attention because it allows for execution of code downloaded over the network, but safety can also be used to provide a higher assurance of security in CGI programs.

safecgiperl

One package carrying the unwieldy name of safecgiperl was written by Malcolm Beattie specifically with this in mind. It leverages the Safe.pm module available for PERL5, which allows the creation of compartment objects in which code is evaluated subject to certain restrictions.

safecgiperl provides an excellent way to enable users to write CGI scripts while minimizing risk. It prohibits nearly all operations that enable direct communication with the operating system, including the following:

•  All methods of invoking a shell or creating a new process

•  All methods of network access and interprocess communication

•  All methods of creating or removing files

•  All file test operators

•  Inclusion of any other PERL code

It allows programs to open a file for reading only if owned by the same user; files can be opened for writing only in a predefined directory and only if they already exist.

The address for Safe.pm is ftp://ftp.ox.ac.uk/pub/perl/Safe-b2.tar.gz.

The address for safecgiperl is ftp://ftp.ox.ac.uk/pub/perl/safecgiperl-b1.tar.gz.

Other Safe Languages

PERL’s safe CGI support might be the best of any language, but other alternatives exist. At least two other languages popular for CGI programming have safe enhancements available: Tcl and Python. Current information on these languages and their safe versions can be obtained on the WWW.

The address for Tcl is http://sunscript.sun.com/.

The address for Python is http://www.python.org/.