#4130 $mdir taints @INC in foreign_require

1.550
closed-fixed
5
2014-09-25
2012-08-15
Danny Sauer
No

So, after beating my head against a wall trying to use DBI in a module under suid Webmin CGIs, I finally found the problem. Apparently, when @INC has $mdir added in foreign_require, it taints @INC and ultimately causes a segmentation fault when DBI loads:

apachapp@host [/usr/libexec/webmin]
$ /usr/libexec/webmin/xmlrpc.cgi < /tmp/file
Segmentation fault

The /tmp/file input is just the XML generated by XML::RPC when it calls a function (it's not important, any RPC call to a module with a "use DBI" triggers the behavior). This only happens with DBI in my testing, though I didn't test every known perl module or anything. I assume it has something to do with the way DBI imports other drivers automatically. In any event, this can be reproduced by sticking a "require DBI" into foreign_require before and after the first @INC modification line, and running suid root xmlrpc.cgi as a non-root user (so, in this case, "apachapp" runs suid root xmlrpc). I was not using the database-backed user store at the time; this might not happen in the web interface if users are stored in Postgres/MySQL, as DBI will already be loaded in those cases. But it should happen on the command line either way.

However, by untainting $mdir before it's added to @INC, the DBI module loading works fine. I made this change in xmlrpc.cgi to resolve the problem:

my @OLDINC = @INC;
my $mdir = &module_root_directory($mod);
$mdir =~ /(.*)/; #untaint, part 1
$mdir = $1; #untaint, part 2
@INC = &unique($mdir, @INC);

By "making sure $mdir is a safe value", it's effectively untainted and can be used without problems. And, the same RPC call now works:

apachapp@host [/usr/libexec/webmin]
$ /usr/libexec/webmin/xmlrpc.cgi < /tmp/file
<?xml version="1.0" encoding="iso-8859-1"?>
...

There's other ways to untaint variables, but I think the "use a regex to ensure that the value is safe" method is the easiest. And this change resolves the issue I was trying to track down yesterday when I stumbled across the real v/s effective UID thing. :)

Discussion

  • Danny Sauer

    Danny Sauer - 2012-08-15

    Also, sorry to put this in "Webmin Configuration"; there isn't an obvious option for "webmin internal functionality". :)

     
  • Danny Sauer

    Danny Sauer - 2012-08-15
    • milestone: --> 1.550
     
  • Jamie Cameron

    Jamie Cameron - 2012-08-15

    Thanks for the patch!

    However, I assume you made the change in web-lib-funcs.pl , as that's where @INC is updated using $mdir ?

     
  • Jamie Cameron

    Jamie Cameron - 2012-08-15
    • status: open --> open-accepted
     
  • Danny Sauer

    Danny Sauer - 2012-08-15

    Oh yeah, I should've mentioned the file. :-) Yes, it was the web-lib-funcs file, in the foreign require function.

     
  • Jamie Cameron

    Jamie Cameron - 2012-08-15

    Great! That fix will go into the next Webmin release.

     
  • Jamie Cameron

    Jamie Cameron - 2012-08-15
    • status: open-accepted --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks