Never call any formatted I/O function with a format string containing user input.
An attacker who can fully or partially control the contents of a format string can crash the Perl interpreter or cause a denial of service. She can also modify values, perhaps by using the
%n|| conversion specifier, and use these values to divert control flow. Their capabilities are not as strong as in C [Seacord 2005]; nonetheless the danger is sufficiently great that the formatted output functions
printf() should never be passed unsanitized format strings.
Noncompliant Code Example
This noncompliant code example tries to authenticate a user by having the user supply a password and granting access only if the password is correct.
The program works as expected as long as the user name and host name are benign:
However, the program can be foiled by a malicious user name:
In this invocation, the malicious user name
user%n was incorporated into the
$prompt string. When fed to the
printf() call inside
%n instructed Perl to fill the first format string argument with the number of characters printed, which caused Perl to set the
$is_ok variable to 4. Since it is now nonzero, the program incorrectly grants access to the user.
Compliant Solution (
This compliant solution avoids the use of
print() provides sufficient functionality.
Perl's taint mode provides partial detection of unsanitized input in format strings.
Perl's warnings can detect if a call to
sprintf() contains the wrong number of format string arguments.
Missing argument in .*printf
|Taint mode||Insecure dependency in .*printf|
|[Christey 2005]||Format string vulnerabilities in Perl programs|
|[Seacord 2005]||Chapter 6, "Formatted Output"|
|[VU#948385]||Perl contains an integer sign error in format string processing|