I untaint input from a cgi form in the standard way:
if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
else { error_handling ("bad_data", $variable) }
but when I try to use the rmtree function in File:
ath I get an error
that the variable is untainted. Can anyone give me insight here?
You mean that the variable is tainted, as in an "Insecure dependency"
error? What is the exact error message, and what exactly is the code
that triggers it?
I also get the same error if I try to delete all files in a directory
What is that error though?
....something like:
unlink (./*);
so I think this is related.
This is a syntax error.
unlink takes a list of file names to remove. Perl is not shell, so it
won't automatically replace glob patterns with file names. Even if you
quoted the above, so it wasn't a syntax error, and wrote:
unlink ("./*");
perl would try to unlink the file with the literal name ./*. You
probably need the glob operation or <>, but you should realise that
those operations return tainted data, and therefore need to be
untainted.
So, if you wrote
unlink <./*>;
you would get a message stating that there is an insecure dependency.
Have you checked whether the variable is tainted, as is suggested in the
perlsec documentation, and in perl FAQ 7?
You need to be much more precise and clear next time you report a
problem.
Martien