How can I invoke /sbin/iptables from a Perl CGI under taint mode?

Question

When I invoke "sudo /sbin/iptables ..." in my Perl CGI scripts, I get the error:

Insecure dependency in system while running with -T switch at usr/lib/perl5/vendor_perl/5.8.8/IPC/Run3.pm line 403

I tried to add "/sbin:/etc/sysconf:/etc/init.d" in $ENV{'PATH'} but still no success. Anybody has any idea?

Answer 1

You are supposed to restrict the path, meaning: setting it to a small number of known values that fulfill certain requirements (such as $ENV{PATH} = '/sbin:/usr/sbin:/usr/bin';), not adding to it. See Cleaning Up Your Path in perlsec for the details.

In your simple case, it is best to clear it altogether and rely only on system calls with fully qualified file names.

delete @ENV{qw(PATH ENV)};
system qw(/usr/bin/sudo /sbin/iptables -h);

Answer 2

Yes, you have an insecure dependency in system while running with the -T switch. :p

You're running your script in taintperl mode, and calling an external program (with sudo, no less) with data based on information passed in from the user (which could be tainted). If you're really sure that output is valid and doesn't pose risk, you need to untaint it: see the official documentation about laundering tainted data.

You need to be really careful when running external programs or performing system operations from a CGI -- for example, consider what might happen if you enter `rm -rf /` as user input. There's lots of information at perldoc perlsec to get you started, but several books have been written about writing secure code as well.