Subject: | Security: parsefile function uses 2-argument open() |
Moved here from https://github.com/chorny/XML-Parser/issues/8
guimard commented on Feb 25
Hi,
a Debian user reported that XML-Parser is vulnerable: the XML::Parser::parsefile function uses 2-argument open().
As a consequence, users of this function can't use it to securely check
files with untrusted names. (Unless the users sanitize the filenames
themselves, which they don't, because AFAICT this behavior is not
documented.)
Proof of concept (duck is a Debian tool that uses XML::Parser):
$ touch '; false .appdata; cowsay pwned >&2; kill $PPID |'
$ duck
sh: 1: ./: Permission denied
Here a trivial patch:
--- a/Expat/Expat.pm
+++ b/Expat/Expat.pm
@@ -86,7 +86,7 @@
}
local(*ENC);
- open(ENC, $file) or croak("Couldn't open encmap $file:\n$!\n");
+ open(ENC, '<', $file) or croak("Couldn't open encmap $file:\n$!\n");
binmode(ENC);
my $data;
my $br = sysread(ENC, $data, -s $file);
@@ -492,7 +492,7 @@
my $self = shift;
croak "Parser has already been used" if $self->{_State_};
local(*FILE);
- open(FILE, $_[0]) or croak "Couldn't open $_[0]:\n$!";
+ open(FILE, '<', $_[0]) or croak "Couldn't open $_[0]:\n$!";
binmode(FILE);
my $ret = $self->parse(*FILE);
close(FILE);
--- a/Parser.pm
+++ b/Parser.pm
@@ -216,7 +216,7 @@
my $self = shift;
my $file = shift;
local(*FILE);
- open(FILE, $file) or croak "Couldn't open $file:\n$!";
+ open(FILE, '<', $file) or croak "Couldn't open $file:\n$!";
binmode(FILE);
my @ret;
my $ret;