Skip Menu |

This queue is for tickets about the Sys-Syslog CPAN distribution.

Report information
The Basics
Id: 41234
Status: open
Priority: 0/
Queue: Sys-Syslog

People
Owner: Nobody in particular
Requestors: MARKOV [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 0.27
Fixed in: (no value)



Subject: escape escapes
Many people use syslog() unaware of possible "code injection" schemes, especially when syslog is used in trace mode where raw incoming data is logged before processing. Simple example: a cgi script receives form data and logs this before inspecting it at detail. The data contains escape codes, which are sent through syslog() to log-files. The log-files (on UNIX/Linux) are usually only readible by root. The super-user opens the logfile with 'vi' (and friends), which prints the escape codes to the xterm. Some escape codes are more dangerous than other. Where we cannot change the behavior of the kernel syslog() implementation, we can protect root from (unknowingly) unsafe behavior of Perl programmers. Syslog should replace the non-printables. For instance, an escape code should be rewritten into \x1b, \e or <esc> AFAIK, there is no (core) module which can un-arm dangerous strings. It could be a useful general extension of Encode or even PerlIO. There could be one standard conversion choice, or it can be made configurable. Suggested interface: openlog $name, "pid,encoding(utf-8),escape(hex)", "local1"; openlog $name, "pid,raw,unsafe", "local2"; #currently
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Thu, 12 Feb 2009 01:55:37 +0100
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Hello Mark, Apologies for answering only now. I forgot several times to write the code, then to package the code, then to answer this ticket.. I wrote a module to test the C code that does the actual work of escaping non-printable characters. » http://search.cpan.org/dist/PerlIO-via-escape_ansi/ The module itself is more a proof-of-concept, the XS being extremely simple, and most probably subject to memory leaks. A true PerlIO module should be written in full XS (but that's harder to do, especially given my XS level). If you think this code is good enough, I'll integrate it in Sys::Syslog. -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Sun, 19 Apr 2009 16:52:01 +0200
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Show quoted text
> I wrote a module to test the C code that does the actual work of > escaping non-printable characters. > » http://search.cpan.org/dist/PerlIO-via-escape_ansi/ > > The module itself is more a proof-of-concept, the XS being > extremely simple, and most probably subject to memory leaks. A true > PerlIO module should be written in full XS (but that's harder to > do, especially given my XS level). > > If you think this code is good enough, I'll integrate it in > Sys::Syslog.
Now done, http://svnweb.mongueurs.net/Sys-Syslog/revision/?rev=270 -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Mon, 20 Apr 2009 09:30:56 +0200
To: Sébastien Aperghis-Tramoni via RT <bug-Sys-Syslog [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
* Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) [090419 14:52]: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=41234 >
> > I wrote a module to test the C code that does the actual work of > > escaping non-printable characters. > > » http://search.cpan.org/dist/PerlIO-via-escape_ansi/
> > Now done, http://svnweb.mongueurs.net/Sys-Syslog/revision/?rev=270
Your initial work has slipped my attention. It seems like a smart implementation, with minimal delay. Great. Should the conversion be disabled when EBCIDC? -- Great work! MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Tue, 21 Apr 2009 01:55:42 +0200
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Mark Overmeer wrote via RT: Show quoted text
> Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) > [090419 14:52]:
>>
>>> I wrote a module to test the C code that does the actual work of >>> escaping non-printable characters. >>> » http://search.cpan.org/dist/PerlIO-via-escape_ansi/
>> >> Now done, http://svnweb.mongueurs.net/Sys-Syslog/revision/?rev=270
> > Your initial work has slipped my attention. It seems like a smart > implementation, with minimal delay. Great. > > Should the conversion be disabled when EBCIDC?
Arrrrghhhhhh.... EBCDIC! Would do you hate me? Well, yes, but I guess that to be actually correct, we should have the corresponding translation table. Unless EBCDIC systems are immune to sequences attacks? -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Tue, 21 Apr 2009 08:52:37 +0200
To: Sébastien Aperghis-Tramoni via RT <bug-Sys-Syslog [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
* Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) [090420 23:56]: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=41234 > > Arrrrghhhhhh.... EBCDIC! Would do you hate me? > Well, yes, but I guess that to be actually correct, we should have > the corresponding translation table. Unless EBCDIC systems are immune > to sequences attacks?
I think a simple #ifdef would do, simply exclude all the logic. But I do not know which compile flag to test for. (Haven't touched an EBDDIC system in 15 years) -- Regards, MarkOv ------------------------------------------------------------------------ drs Mark A.C.J. Overmeer MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Tue, 28 Apr 2009 22:18:41 +0200
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Mark Overmeer wrote via RT: Show quoted text
>> Arrrrghhhhhh.... EBCDIC! Would do you hate me? >> Well, yes, but I guess that to be actually correct, we should have >> the corresponding translation table. Unless EBCDIC systems are immune >> to sequences attacks?
> > I think a simple #ifdef would do, simply exclude all the logic. But I > do not know which compile flag to test for. (Haven't touched an > EBDDIC > system in 15 years)
I never touched an EBCDIC system. Hopefully, a quick search through perlport gave me the correct way to know whether we're on EBCDIC in the Perl side: use constant EBCDIC => ord("A") == 193; I also found that there's a C macro "EBCDIC", so we can detect this both sides. -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Thu, 30 Jul 2009 10:35:43 +0200
To: Sébastien Aperghis-Tramoni via RT <bug-Sys-Syslog [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
Hey Sébastien, Any chance on releasing Sys::Syslog with charset protections within a forseeable future? See you in Lisbon? MarkOv * MARKOV Solutions (solutions@overmeer.net) [090421 08:52]: Show quoted text
> * Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) [090420 23:56]:
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=41234 > > > Arrrrghhhhhh.... EBCDIC! Would do you hate me? > > Well, yes, but I guess that to be actually correct, we should have > > the corresponding translation table. Unless EBCDIC systems are immune > > to sequences attacks?
> > I think a simple #ifdef would do, simply exclude all the logic. But I > do not know which compile flag to test for. (Haven't touched an EBDDIC > system in 15 years)
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Thu, 30 Jul 2009 20:50:11 +0200
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Mark Overmeer wrote via RT: Show quoted text
> Hey Sébastien,
Hello Mark Show quoted text
> Any chance on releasing Sys::Syslog with charset protections > within a forseeable future?
As soon as I can rework the code to avoid it to leak / crash. I'm not a very good C programmer, and clearly not a good XS one. I haven't released the current code because when executing the tests suite, it crashes Perl. I know I must rewrite the way the internal escaping function works. Just haven't found the time/motivation to do it for now. Show quoted text
> See you in Lisbon?
Yup, I'm supposed to talk there. And I'm supposed to write slides beforehand (argh). -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Thu, 30 Jul 2009 23:38:57 +0200
To: Sébastien Aperghis-Tramoni via RT <bug-Sys-Syslog [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
* Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) [090730 18:50]: Show quoted text
> As soon as I can rework the code to avoid it to leak / crash. I'm not > a very good C programmer, and clearly not a good XS one. I haven't > released the current code because when executing the tests suite, it > crashes Perl. I know I must rewrite the way the internal escaping > function works. Just haven't found the time/motivation to do it for now.
I did program C for 10 years. But XS is an other thing. char * escape_non_printable_chars(const char *input) { if (num == 0) return (char *) input; Here, you change a "const *" into a non-const, allowing the original input buffer to be overwritten via the pointer which is returned. Don't: make both const. For memory allocation, you should probably use the New... macros (discribed in perlguts), and Safefree. Maybe we should ask Nick for help... -- Greetz, Good luck with your presentation, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
Subject: Re: [rt.cpan.org #41234] escape escapes
Date: Fri, 31 Jul 2009 00:35:37 +0200
To: bug-Sys-Syslog [...] rt.cpan.org
From: Sébastien Aperghis-Tramoni <saper [...] cpan.org>
Mark Overmeer wrote via RT: Show quoted text
> * Sébastien Aperghis-Tramoni via RT (bug-Sys-Syslog@rt.cpan.org) > [090730 18:50]:
>> As soon as I can rework the code to avoid it to leak / crash. I'm not >> a very good C programmer, and clearly not a good XS one. I haven't >> released the current code because when executing the tests suite, it >> crashes Perl. I know I must rewrite the way the internal escaping >> function works. Just haven't found the time/motivation to do it >> for now.
> > I did program C for 10 years. But XS is an other thing. > > char * escape_non_printable_chars(const char *input) { > if (num == 0) > return (char *) input; > > Here, you change a "const *" into a non-const, allowing the original > input buffer to be overwritten via the pointer which is returned. > Don't: make both const.
When I first wrote this code, I wanted to be smart and avoid useless memory allocation. Now I think it should just be simpler and more consistent. Show quoted text
> For memory allocation, you should probably use the New... macros > (discribed in perlguts), and Safefree.
IIRC, when I looked at Perl headers, they already redeclare malloc() and free() to use internal Perl functions. I'd prefer to keep the escaping code generic so anyone could copy it, because I wasn't able to find similar code on the intarweb. Show quoted text
> Maybe we should ask Nick for help...
Now that he has forked, he'll have even less free time ;-) I don't think the problem is very complex and worth annoying Nicholas or Raphaël, it's just that I haven't spend enough time on it. Then, once I think the code is good enough, I'll send it to P5P for review. -- Sébastien Aperghis-Tramoni Close the world, txEn eht nepO.