Find::File and taint mode

Discussion in 'Perl Misc' started by Dave Saville, Nov 18, 2003.

  1. Dave Saville

    Dave Saville Guest

    I have a cgi script that uses File::Find.

    find(\&wanted, 'D:/Apps/SouthSide/PMMail');

    I am getting:

    Insecure dependency in chdir while running with -T switch at
    D:/usr/lib/perl/lib
    /5.8.0/File/Find.pm line 807.

    How can I get around this?

    TIA

    Regards

    Dave Saville

    NB switch saville for nospam in address
    Dave Saville, Nov 18, 2003
    #1
    1. Advertising

  2. Dave Saville wrote:
    > I have a cgi script that uses File::Find.
    >
    > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
    >
    > I am getting:
    >
    > Insecure dependency in chdir while running with -T switch at
    > D:/usr/lib/perl/lib
    > /5.8.0/File/Find.pm line 807.
    >
    > How can I get around this?


    By using the 'untaint' option. See the File::Find docs.

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, Nov 18, 2003
    #2
    1. Advertising

  3. Dave Saville

    Ben Morrow Guest

    Gunnar Hjalmarsson <> wrote:
    > Dave Saville wrote:
    > > I have a cgi script that uses File::Find.
    > >
    > > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
    > >
    > > I am getting:
    > >
    > > Insecure dependency in chdir while running with -T switch at
    > > D:/usr/lib/perl/lib
    > > /5.8.0/File/Find.pm line 807.
    > >
    > > How can I get around this?

    >
    > By using the 'untaint' option. See the File::Find docs.


    You could also use the 'no_chdir' option, which may or may not be
    safer...

    Ben

    --
    perl -e'print map {/.(.)/s} sort unpack "a2"x26, pack "N"x13,
    qw/1632265075 1651865445 1685354798 1696626283 1752131169 1769237618
    1801808488 1830841936 1886550130 1914728293 1936225377 1969451372
    2047502190/' #
    Ben Morrow, Nov 18, 2003
    #3
  4. Dave Saville

    Dave Saville Guest

    On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:

    >
    >Gunnar Hjalmarsson <> wrote:
    >> Dave Saville wrote:
    >> > I have a cgi script that uses File::Find.
    >> >
    >> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
    >> >
    >> > I am getting:
    >> >
    >> > Insecure dependency in chdir while running with -T switch at
    >> > D:/usr/lib/perl/lib
    >> > /5.8.0/File/Find.pm line 807.
    >> >
    >> > How can I get around this?

    >>
    >> By using the 'untaint' option. See the File::Find docs.

    >
    >You could also use the 'no_chdir' option, which may or may not be
    >safer...


    Thanks - but File: Find is so S L O W I am going to have to rethink it
    anyway.

    Regards

    Dave Saville

    NB switch saville for nospam in address
    Dave Saville, Nov 18, 2003
    #4
  5. Dave Saville

    Dave Saville Guest

    On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:

    >
    >Gunnar Hjalmarsson <> wrote:
    >> Dave Saville wrote:
    >> > I have a cgi script that uses File::Find.
    >> >
    >> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
    >> >
    >> > I am getting:
    >> >
    >> > Insecure dependency in chdir while running with -T switch at
    >> > D:/usr/lib/perl/lib
    >> > /5.8.0/File/Find.pm line 807.
    >> >
    >> > How can I get around this?

    >>
    >> By using the 'untaint' option. See the File::Find docs.


    What I don't understand is why perl thinks it is tainted - all I am
    passing is a quoted string.

    Regards

    Dave Saville

    NB switch saville for nospam in address
    Dave Saville, Nov 18, 2003
    #5
  6. Dave Saville

    Ben Morrow Guest

    "Dave Saville" <> wrote:
    > On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:
    > >Gunnar Hjalmarsson <> wrote:
    > >> Dave Saville wrote:
    > >> > I have a cgi script that uses File::Find.
    > >> >
    > >> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
    > >> >
    > >> > I am getting:
    > >> >
    > >> > Insecure dependency in chdir while running with -T switch at

    >
    > What I don't understand is why perl thinks it is tainted - all I am
    > passing is a quoted string.


    It's not that that's tainted: that string's fine. It's the next set of
    strings: the list of directories in PMMail to recurse into. Since
    those names have come from readdir, which brings data in from outside
    the program, they're tainted. If you are *quite* sure that noone
    untrusted can affect the names of those directories, then it is safe
    to use the 'untaint' option.

    Ben

    --
    It will be seen that the Erwhonians are a meek and long-suffering people,
    easily led by the nose, and quick to offer up common sense at the shrine of
    logic, when a philosopher convinces them that their institutions are not based
    on the strictest morality. [Samuel Butler, paraphrased]
    Ben Morrow, Nov 18, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Johann C. Rocholl

    Taint (like in Perl) as a Python module: taint.py

    Johann C. Rocholl, Feb 5, 2007, in forum: Python
    Replies:
    5
    Views:
    462
    Johann C. Rocholl
    Feb 6, 2007
  2. Louis Erickson
    Replies:
    2
    Views:
    196
    James Willmore
    Sep 3, 2003
  3. Ben
    Replies:
    17
    Views:
    217
  4. kj

    Taint mode and PERL5LIB

    kj, Jun 11, 2004, in forum: Perl Misc
    Replies:
    9
    Views:
    301
    Ben Morrow
    Jun 14, 2004
  5. Replies:
    2
    Views:
    475
Loading...

Share This Page