Does Perl's unpack function have format vulnerabilities?

Question

I'm using Perl for the first time for production software and I have some trust issues with it. When I use the unpack() function, is it safe to use user input in the TEMPLATE string? I'm using a TEMPLATE like "Z$user_controlled" to read a string value to a variable. The constant $user_controlled is defined external source that the user can control. Am I taking a risk? Can an attacker do something bad if he changes the TEMPLATE string into something weird?

EDIT: Changed the wording to be more generic.

Depends on the configuration – Lucas Kauffman Jul 10 '15 at 10:34 — Lucas Kauffman, Jul 10 '15 at 10:34

score 1 · Answer 1 · answered Jul 13 '15 at 19:04

The "p" template parameter will interpret its part of the input string as a memory address (available to the Perl interpreter's process), and copy all characters from that address, up to the next null character, into the returned string. This might also cause a segfault/access violation if memory at this address is not readable.

The "P" template parameter is similar, but the length of the copied string is fixed, and provided in the template.

These parameters exist to allow access to data outside of the input string, so you should probably check into how they could be abused on your platform.

Does Perl's unpack function have format vulnerabilities?

1 Answers1