btrbk: do not run in perl taint mode by default: remove "perl -T" in hashbang; hardcode $PATH only if taint mode is enabled

While taint mode [1] is a nice feature of perl, e.g. it disallows using variables (such as filenames from the config file) which were not validated in system() commands, it also treats $PATH as insecure (which inherently is, as perl cannot know who messed around with it). [1] perlsec(1): http://perldoc.perl.org/perlsec.html [2] perlrun(1): http://perldoc.perl.org/perlrun.html Note that btrbk still does all taint checks, and can be run in taint mode: - by executing `perl -T /usr/sbin/btrbk`, - or by changing the hashbang to: `!#/usr/bin/perl -T`.
2017-09-25 16:05:42 +02:00 · 2017-09-25 16:05:42 +02:00 · 571dae4428
parent 5f867c2347
commit 571dae4428
2 changed files with 19 additions and 5 deletions
--- a/2
+++ b/2
@ -4,6 +4,8 @@ btrbk-current
    line option (which is now deprecated).
  * Add "snapshot" command (close #150).
  * Add "--preserve-snapshots" and "--preserve-backups" options.
+  * Do not run in "perl taint mode" by default: remove "perl -T" in
+    hashbang; hardcode $PATH only if taint mode is enabled.
  * Remove "duration" column from transaction_log/transaction_syslog.
  * Bugfix: ssh_filter_btrbk: accept mbuffer command (stream_buffer).
  * Bugfix: print correct (end-)time in transaction_log.
--- a/22
+++ b/22
@ -1,4 +1,4 @@
-#!/usr/bin/perl -T
+#!/usr/bin/perl
 #
 # btrbk - Create snapshots and remote backups of btrfs subvolumes
 #
@ -3707,10 +3707,22 @@ sub exit_status

 MAIN:
 {
-  # set PATH instead of using absolute "/sbin/btrfs" (for now), as
-  # different distros (and even different versions of btrfs-progs)
-  # install the "btrfs" executable to different locations.
-  $ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin';
+  # NOTE: Since v0.26.0, btrbk does not enable taint mode (perl -T) by
+  # default, and does not hardcode $PATH anymore.
+  #
+  # btrbk still does all taint checks, and can be run in taint mode.
+  # In order to enable taint mode, run `perl -T btrbk`.
+  #
+  # see: perlrun(1), perlsec(1)
+  #
+  my $taint_mode_enabled = eval '${^TAINT}';
+  if($taint_mode_enabled) {
+    # we are running in tainted mode (perl -T), sanitize %ENV
+    delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
+
+    # in taint mode, perl needs an untainted $PATH.
+    $ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin';
+  }

  Getopt::Long::Configure qw(gnu_getopt);
  my $start_time = time;