我正在通过“sendmail”发送包含一些用户提供的数据的内容。我用 perl 调用它,例如
open(MAIL, "| /usr/sbin/sendmail -fsomeone\@somewhere.com -t ")
print MAIL "the user content..."
close(MAIL)
这里是否有任何风险,例如用户以注入代码的方式格式化他的数据?
问问题
785 次
2 回答
2
Perl 脚本本身并没有特别危险(我假设“用户内容”代表变量的内容)。但是,无论谁收到邮件,都会受到“用户内容……”的支配。
为确保不会发生任何不好的事情,我们需要查看更多您的脚本。阅读(并确保您理解)Dawid Wheeler 的“Linux 和 Unix 的安全编程 HOWTO”,同时寻找安全的 Perl 编程(也许CERT 标准是一个很好的起点)。
于 2013-02-15T18:47:30.573 回答
0
That depends if the email adress in the command line argument is hardcoded, or user-supplied.
If the command is hardcoded, and you use a double-quoted string, the @somewhere array will be interpolated. I assume this is a typo, and it would be backslashed.
If that adress can be user-set (open MAIL, "| ... -f$adress"), then this is vulnerable to shell code injection: $adress = '; rm -rf * ;'
This can be avoided by input validation, and/or by using multiple arguments for open:
open my $MAIL, "|-", "/usr/bin/sendmail", @args or die ...;
- Lexical Filehandles are better
- Explicit open mode as seperate argument is safer (
|- -| < > >> +<) - Multiple arguments to avoid shell interpretation of command.
- Return value checking
The -t flag will (iirc) read header values from the user input. This will not affect the security of your script, but would allow the user to include bogus headers. Users may be able to abuse your script for their purposes, e.g. spamming! It might be better to construct the header yourself, and restrict the user to providing the body of the message only.
于 2013-02-15T19:09:08.387 回答