today | current | recent | random ... categories | search ... who ... syndication

Wednesday, November 26 2003

Movable Thoughts #21 : Removed -T from mt.cfg and mt-send-entry.cgi

You can enable taint mode explicitly with the -T command-line switch. You should do this for daemons, servers, and any programs that run on behalf of someone else, such as CGI scripts. Programs that can be run remotely or anoymously by anyone on the Net are executing in the most hostile of environments. You should not be afraid to say No! occasionally. Contrary to popular belief, you can exercise a great deal of prudence without dehydrating into a wrinkled prude.

On the more security-conscious sites, running all CGI scripts under the -T flag isn't just a good idea: it's the law. We're not claiming that running in taint mode is sufficient to make your script secure. It's not, and it would take a whole book just to mention everything that would. But if you aren't executing your CGI scripts under taint mode, you've needlessly abandoned the strongest protection Perl can give you.

The Camel Book, 3.0

Prompted by all the talk about using Movable Type as an open relay for spammers, I decided to poke at the actual code and see what was going on.

There really isn't anywhere that Movable Type should be disabling taint mode but if I had to list things in order of importance, the mt-send-entry.cgi script would be near the top.

The script is potentially handing off to the sendmail program whose entire existence has been marked by security exploits. There is nothing to suggest that more won't be found in the future. Relying on sendmail to test for Potential Badness being passed by a ne'er do well via the Internet is wishful thinking, at best, and just plain crazy, at worst.

In fairness, the Movable Type mail widget tries to load Mail::Sendmail which does some basic sanity checking and, drumroll, untainting on the stuff you pass it. On the other hand it is not part of the core libraries shipped with Perl, nor is it in Movable Type's extlib directory which is a mystery since two thirds of it's dependencies are part of CORE and the other third has no non-standard requirements itself.

Untainting email addresses can be brain-crushingly difficult and inaccurate and the last thing you want to do when you're selling a computer widget for non-techincal people is start spewing errors where there are none. But not only did the Movable Type kids disable the -T flag on the mt-send-entry.cgi script they don't appear to have ever done any kind of untainting on the to and from parameters. Hello? Is anyone home?

I find this especially discouraging because one of the first things I did when Movable Type was released was send Ben code to at least try and untaint email addresses .

refers to


Tuesday, November 25 2003 ←  → Sunday, November 30 2003