Perl Taint issue

Discussion in 'Perl Misc' started by Mark J Fenbers, Jan 28, 2004.

  1. Consider this stripped-down Perl script:

    #!/usr/bin/perl -w -T
    use strict;

    foreach $file ( <ahps.dat.???> ) {
    open(OUT, ">$file.new") or die "message...";
    # do stuff;
    close OUT;
    }

    I get a taint dependency error on the "open" statement. The "perlsec" man page
    says this is a tainted situation (and I understand why), but it offers little
    advice of how to get around it. In the unstripped program, given filenames such
    as "ahps.dat.cle", I want to read in data from the file, modify the data, and
    write the altered data back out to a file called "ahps.dat.cle.new" for human
    examination... but it won't let me do this with "-T" unless I hardwire the
    output filename (which isn't a reasonable solution).

    Any ideas to get around this?

    Mark
     
    Mark J Fenbers, Jan 28, 2004
    #1
    1. Advertising

  2. Mark J Fenbers

    gnari Guest

    "Mark J Fenbers" <> wrote in message
    news:...
    > Consider this stripped-down Perl script:
    >
    > #!/usr/bin/perl -w -T
    > use strict;
    >
    > foreach $file ( <ahps.dat.???> ) {
    > open(OUT, ">$file.new") or die "message...";
    > # do stuff;
    > close OUT;
    > }
    >
    > I get a taint dependency error on the "open" statement. The "perlsec" man

    page
    > says this is a tainted situation (and I understand why), but it offers

    little
    > advice of how to get around it. In the unstripped program, given

    filenames such
    > as "ahps.dat.cle", I want to read in data from the file, modify the data,

    and
    > write the altered data back out to a file called "ahps.dat.cle.new" for

    human
    > examination... but it won't let me do this with "-T" unless I hardwire the
    > output filename (which isn't a reasonable solution).
    >
    > Any ideas to get around this?


    doesn't the usual work?
    if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
    my $newfile="$1.new";
    # do stuff
    }

    gnari
     
    gnari, Jan 28, 2004
    #2
    1. Advertising

  3. In article <>,
    Mark J Fenbers <> wrote:
    :Consider this stripped-down Perl script:

    :#!/usr/bin/perl -w -T
    :use strict;

    :foreach $file ( <ahps.dat.???> ) {
    : open(OUT, ">$file.new") or die "message...";
    : # do stuff;
    : close OUT;
    :}

    :I get a taint dependency error on the "open" statement. The "perlsec" man page
    :says this is a tainted situation (and I understand why), but it offers little
    :advice of how to get around it.

    Use the standard de-tainting idiom:

    #!/usr/bin/perl -w -T
    use warnings;
    use strict;

    foreach my $taintedfile ( <ahps.dat.??> ) {
    my $file = $taintedfile =~ m/^(.*)$/;
    open(OUT, ">$file.new") or die "message...";
    # do stuff;
    close OUT;
    }
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Jan 28, 2004
    #3
  4. Walter Roberson wrote:
    > Use the standard de-tainting idiom:
    >
    > #!/usr/bin/perl -w -T
    > use warnings;
    > use strict;
    >
    > foreach my $taintedfile ( <ahps.dat.??> ) {
    > my $file = $taintedfile =~ m/^(.*)$/;

    -------^^^^^----------------------^^^^

    What's standard about that buggy code?

    First, if you consider /^(.*)$/ to be "standard" for untainting, you
    can as well just remove the -T switch. Please study

    http://www.perldoc.com/perl5.8.0/pod/perlsec.html

    for some advice on how it should be done.

    Second, $file in the above code will be assigned the number 1, i.e.
    the return value of the match in scalar context.

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
     
    Gunnar Hjalmarsson, Jan 28, 2004
    #4
  5. Yes, this works! Thank you!
    Mark

    gnari wrote:

    > "Mark J Fenbers" <> wrote in message
    > news:...
    > > Consider this stripped-down Perl script:
    > >
    > > #!/usr/bin/perl -w -T
    > > use strict;
    > >
    > > foreach $file ( <ahps.dat.???> ) {
    > > open(OUT, ">$file.new") or die "message...";
    > > # do stuff;
    > > close OUT;
    > > }
    > >
    > > I get a taint dependency error on the "open" statement. The "perlsec" man

    > page
    > > says this is a tainted situation (and I understand why), but it offers

    > little
    > > advice of how to get around it. In the unstripped program, given

    > filenames such
    > > as "ahps.dat.cle", I want to read in data from the file, modify the data,

    > and
    > > write the altered data back out to a file called "ahps.dat.cle.new" for

    > human
    > > examination... but it won't let me do this with "-T" unless I hardwire the
    > > output filename (which isn't a reasonable solution).
    > >
    > > Any ideas to get around this?

    >
    > doesn't the usual work?
    > if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
    > my $newfile="$1.new";
    > # do stuff
    > }
    >
    > gnari
     
    Mark J Fenbers, Jan 28, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kristina Clair
    Replies:
    0
    Views:
    673
    Kristina Clair
    Aug 27, 2004
  2. Johann C. Rocholl

    Taint (like in Perl) as a Python module: taint.py

    Johann C. Rocholl, Feb 5, 2007, in forum: Python
    Replies:
    5
    Views:
    481
    Johann C. Rocholl
    Feb 6, 2007
  3. Simon Strandgaard

    eval + taint problem

    Simon Strandgaard, Mar 5, 2004, in forum: Ruby
    Replies:
    5
    Views:
    148
    Florian G. Pflug
    Mar 5, 2004
  4. Ben
    Replies:
    17
    Views:
    241
  5. Replies:
    2
    Views:
    170
Loading...

Share This Page