[Dancer-users] Need help in understanding the role of taint handling in Dancer

Gurunandan Bhat gbhat at pobox.com
Thu Apr 21 00:18:54 CEST 2011 

Yes - would be great to do that.
To keep things focussed on the issue at hand, let me strip all the PKI stuff
and post it here.
Will take me a day....

Thank you.


On Wed, Apr 20, 2011 at 2:41 PM, Flavio Poletti <polettix at gmail.com> wrote:

> Would you produce a minimal test script that exposes the problem?
>
> Cheers,
>
>     Flavio.
>
>
> On Wed, Apr 20, 2011 at 9:41 PM, Gurunandan Bhat <gbhat at pobox.com> wrote:
>
>> Thanks Flavio.
>>
>>
>>    1. The input string for encryption is byte-level identical in both
>>    cases. I have used unpack to look at the input string in both cases to
>>    confirm this. I have run a large number of tests.
>>     2. I have used the regular expression trick to untaint (just in case)
>>    in my own code. In addition, I am using Data::FormValidator to validate the
>>    input strings so I guess it uses a regexp check in any case. For good
>>    measure I have passed the option untaint_all_constraints => 1 to DFV just in
>>    case.
>>    3. There is something in the Dancer runtime environment that makes
>>    Crypt::OpenSSL::RSA do the wrong thing. If it is not taint and it is not
>>    encoding (which I have confirmed) - what could it be? If I knew this I could
>>    pass it on to the Crypt::OpenSSL::RSA guys so that they can fix whatever it
>>    is thats going wrong there.
>>
>>
>> Thanks once again for your time and your attention
>>
>>
>>
>>
>> On Wed, Apr 20, 2011 at 12:18 PM, Flavio Poletti <polettix at gmail.com>wrote:
>>
>>> I would be surprised if taint is the cause of your pain. From what I
>>> know:
>>>
>>> * you are the sole responsible for activating taint mode. It has to be
>>> set in the hash-bang and possibly provided on the command line;
>>> * when taint kicks in something like "die()" happens, so you should be
>>> pretty aware of it (unless you wrap it all with eval() and throw away any
>>> error).
>>>
>>> You can try your command-line script with taint mode turned on by means
>>> of the "-T" command-line switch (see perldoc perlrun for details). If you
>>> want to try and untaint the input string for the password, you have to use a
>>> regular expression:
>>>
>>> my ($untainted_password) = $tainted_password =~ /(.*)/;
>>>
>>> Note that the "blind untaint" method above is frowned upon, tainting is
>>> all about forcing you (the programmer) to carefully check your inputs so you
>>> should try to figure out the correct way to validate the input. In this case
>>> I think that we can assume that any character is valid for a password, so
>>> the whole string is good.
>>>
>>>
>>> One thing I'd look at is encoding. I'd try to see whether, in the two
>>> different contexts, the two password:
>>>
>>> 1. have the same encoding status (use utf8::is_utf8() for this, see
>>> perldoc utf8)
>>> 2. are exactly the same (in this case I'd use something like
>>>
>>>    warning unpack 'H*', $password;
>>>
>>> in order to see the raw bytes in hex).
>>>
>>> Good luck,
>>>
>>>     Flavio.
>>>
>>>
>>>
>>> On Wed, Apr 20, 2011 at 8:20 PM, Gurunandan Bhat <gbhat at pobox.com>wrote:
>>>
>>>> Hi,
>>>>
>>>> I am in the process of writing a Dancer application that does (in part)
>>>> some heavy lifting of PKI (RSA) [en|de]cryption using Crypt::OpenSSL::RSA
>>>> and a few other Crypt::* modules and have been hit with an issue that I do
>>>> not fully understand. Here is a rough sequence of what happens:
>>>>
>>>>
>>>>    1. I have written a Moose based class that does PKI stuff. One of
>>>>    the the methods in this class is encrypting binary strings using a Public
>>>>    Key. The Public Key is read from a file on disk.
>>>>    2. When I run a test script with this class, the encryption works
>>>>    fine.
>>>>    3. When I run the same script as a route handler in Dancer the
>>>>    encryption silently produces the wrong result - decrypting it does not give
>>>>    me the original string.
>>>>    4. Testing is a bit hard and complicated due to the fact that RSA
>>>>    encryption is not deterministic and encrypting the same string twice will
>>>>    give wildly different strings but decrypting both should correctly give the
>>>>    original string. However after a few days of trying out multiple test code -
>>>>    I am reasonably certain that *encryption with Crypt::OpenSSL::RSA
>>>>    gives the correct result from the command line but gives the wrong result
>>>>    when run as a Dance route handler*.I am currently working around
>>>>    this by doing the encryption through a script on disk which the route
>>>>    handler runs - but this is obviously too silly for words.
>>>>
>>>> The only thing I can attribute this to is that my input string collected
>>>> from a form and/or my public key object which I read from file are marked as
>>>> tainted in Dancer but not in a command line script and that
>>>> Crypt::OpenSSL::RSA has a bug when used with tainted variables. This is a
>>>> conjecture but the only one that seems likely given the large amount of
>>>> testing that I have done.
>>>>
>>>> With this background here are a couple of questions that I have:
>>>>
>>>>
>>>>    1. Does Dancer taint input variables received from the user(-form)?
>>>>    2. If yes, how do I untaint it.
>>>>    3. How can I conclusively confirm that taintedness is causing the
>>>>    difference in output between the command line script and the route handler.
>>>>    With identical inputs to my command line script and to my route handler I am
>>>>    certain that there is a difference in output. I am wondering if taintedness
>>>>    is the cause.
>>>>
>>>> Thank you for your patience in reading this rather long message
>>>>
>>>> _______________________________________________
>>>> Dancer-users mailing list
>>>> Dancer-users at perldancer.org
>>>> http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Dancer-users mailing list
>>> Dancer-users at perldancer.org
>>> http://www.backup-manager.org/cgi-bin/listinfo/dancer-users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.backup-manager.org/pipermail/dancer-users/attachments/20110420/a3a06980/attachment-0001.htm>

More information about the Dancer-users mailing list