Insecure dependency in unlink while running with -T switch

Discussion in 'Perl Misc' started by Regent, Apr 23, 2004.

  1. Regent

    Regent Guest

    I must say I'm a newbie, writing a script that tries to unlink a
    particular file. Both the name of the file and that of the folder are
    variable scalar strings. Now that I habitually write with -T and
    strictures, I always get the error message "Insecure dependency in
    unlink while running with -T switch". The relevant block of code:

    if ("$root/$uploadDir/$origfn" ne "")
    {
    my $toDel = "$root/$uploadDir/$origfn";
    unlink ($toDel) or die "$!";
    }

    where $root is the root path of the web site, $uploadDir is a folder for
    temporary uploads, $origfn is the name of the file to be deleted.

    How do I solve this problem? Thanks
    --
    Regent
    Regent, Apr 23, 2004
    #1
    1. Advertising

  2. Regent wrote:
    > I must say I'm a newbie, writing a script that tries to unlink a
    > particular file. Both the name of the file and that of the folder
    > are variable scalar strings. Now that I habitually write with -T
    > and strictures, I always get the error message "Insecure dependency
    > in unlink while running with -T switch".


    <snip>

    > How do I solve this problem?


    You learn how to untaint a tainted variable by studying "perldoc
    perlsec". If you "habitually" have -T enabled, I can't believe that
    you haven't done so before.

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, Apr 23, 2004
    #2
    1. Advertising

  3. Regent

    Joe Smith Guest

    Regent wrote:

    > Both the name of the file and that of the folder are variable scalar strings.


    If the variables are set from user input, they are tainted.

    > I always get the error message "Insecure dependency in
    > unlink while running with -T switch". The relevant block of code:
    > my $toDel = "$root/$uploadDir/$origfn";
    > unlink ($toDel) or die "$!";


    Imagine that $root or $uploadDir has "../../../etc".
    Perl is saying that you haven't done enough to eliminate that possibility.

    > How do I solve this problem? Thanks


    Follow the suggestions in the docs that describe the -T switch.
    -Joe
    Joe Smith, Apr 23, 2004
    #3
  4. Regent wrote:
    >
    > I must say I'm a newbie, writing a script that tries to unlink a
    > particular file. Both the name of the file and that of the folder are
    > variable scalar strings. Now that I habitually write with -T and
    > strictures, I always get the error message "Insecure dependency in
    > unlink while running with -T switch". The relevant block of code:
    >
    > if ("$root/$uploadDir/$origfn" ne "")


    "$root/$uploadDir/$origfn" will NEVER be equal to "" because you have
    two literal / characters in the string.


    John
    --
    use Perl;
    program
    fulfillment
    John W. Krahn, Apr 24, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. danpres2k
    Replies:
    0
    Views:
    1,459
    danpres2k
    Aug 13, 2003
  2. Paul Urbanus
    Replies:
    0
    Views:
    2,240
    Paul Urbanus
    Apr 7, 2006
  3. Noen

    Running insecure python code

    Noen, Feb 26, 2004, in forum: Python
    Replies:
    7
    Views:
    393
    Mark 'Kamikaze' Hughes
    Mar 6, 2004
  4. kskkaf
    Replies:
    2
    Views:
    127
    kskkaf
    Jul 3, 2004
  5. ct
    Replies:
    2
    Views:
    135
    Eric Schwartz
    Feb 22, 2006
Loading...

Share This Page