[PRL] risks of parsing and quoting

Doug Orleans dougorleans at gmail.com
Thu Apr 12 01:58:04 EDT 2007 

An interesting case study of a security hole in a Perl CGI script:

http://blog.plover.com/oops/security-problem.html

My knee-jerk reaction was that Perl's string interpolation was
inherently insecure, but it occurs to me that I've done plenty of
string-append (and format) using form-submitted user data in Scheme
myself.  I'm also noticing that PLT's smtp-send-message (in
net/smtp.ss) doesn't verify that its recipient strings are valid email
addresses, so it could probably be hijacked in the same way.  Is this
something that could be checked in a contract?  RFC822 addresses are
pretty hard to validate; see this 6343-character regexp:
http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html

The article has the following quote (from another article):

  The essence of user interfaces is parsing: converting an
  unstructured sequence of commands, in a format usually determined
  more by psychology than by solid engineering, into structured data.

  When another programmer wants to talk to a user interface, he has to
  quote: convert his structured data into an unstructured sequence of
  commands that the parser will, he hopes, convert back into the
  original structured data.

  This situation is a recipe for disaster. The parser often has bugs:
  it fails to handle some inputs according to the documented
  interface. The quoter often has bugs: it produces outputs that do
  not have the right meaning. Only on rare joyous occasions does it
  happen that the parser and the quoter both misinterpret the
  interface in the same way.

  When the original data is controlled by a malicious user, many of
  these bugs translate into security holes.

This makes me think of Karl's "Structure-Shy Object" design pattern:
http://www.ccs.neu.edu/research/demeter/adaptive-patterns/AOP/Structure-Shy-Object
I'm not sure if this helps or hurts security.

Also, I'm surprised that some apparently smart person who figured out
the exploit either works for a spammer or sold it to a spammer.  I'd
have thought that those kind of smart people were more interested in
warez and other hackish things.  Or maybe he just published it
somewhere where a spammer found it.  Either way, it's interesting to
see that spammers have evolved some access to intelligence.

--Doug

More information about the PRL mailing list