From 571dae4428d12b1ebba56a36b9b43fca28449781 Mon Sep 17 00:00:00 2001 From: Axel Burri Date: Mon, 25 Sep 2017 16:05:42 +0200 Subject: [PATCH] btrbk: do not run in perl taint mode by default: remove "perl -T" in hashbang; hardcode $PATH only if taint mode is enabled While taint mode [1] is a nice feature of perl, e.g. it disallows using variables (such as filenames from the config file) which were not validated in system() commands, it also treats $PATH as insecure (which inherently is, as perl cannot know who messed around with it). [1] perlsec(1): http://perldoc.perl.org/perlsec.html [2] perlrun(1): http://perldoc.perl.org/perlrun.html Note that btrbk still does all taint checks, and can be run in taint mode: - by executing `perl -T /usr/sbin/btrbk`, - or by changing the hashbang to: `!#/usr/bin/perl -T`. --- ChangeLog | 2 ++ btrbk | 22 +++++++++++++++++----- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 22ba248..374f87d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ btrbk-current line option (which is now deprecated). * Add "snapshot" command (close #150). * Add "--preserve-snapshots" and "--preserve-backups" options. + * Do not run in "perl taint mode" by default: remove "perl -T" in + hashbang; hardcode $PATH only if taint mode is enabled. * Remove "duration" column from transaction_log/transaction_syslog. * Bugfix: ssh_filter_btrbk: accept mbuffer command (stream_buffer). * Bugfix: print correct (end-)time in transaction_log. diff --git a/btrbk b/btrbk index 8f0b1de..7096ba2 100755 --- a/btrbk +++ b/btrbk @@ -1,4 +1,4 @@ -#!/usr/bin/perl -T +#!/usr/bin/perl # # btrbk - Create snapshots and remote backups of btrfs subvolumes # @@ -3707,10 +3707,22 @@ sub exit_status MAIN: { - # set PATH instead of using absolute "/sbin/btrfs" (for now), as - # different distros (and even different versions of btrfs-progs) - # install the "btrfs" executable to different locations. - $ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin'; + # NOTE: Since v0.26.0, btrbk does not enable taint mode (perl -T) by + # default, and does not hardcode $PATH anymore. + # + # btrbk still does all taint checks, and can be run in taint mode. + # In order to enable taint mode, run `perl -T btrbk`. + # + # see: perlrun(1), perlsec(1) + # + my $taint_mode_enabled = eval '${^TAINT}'; + if($taint_mode_enabled) { + # we are running in tainted mode (perl -T), sanitize %ENV + delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; + + # in taint mode, perl needs an untainted $PATH. + $ENV{PATH} = '/sbin:/bin:/usr/sbin:/usr/bin'; + } Getopt::Long::Configure qw(gnu_getopt); my $start_time = time;