rmtree and untaint

Discussion in 'Perl Misc' started by Flagstaff, Jan 3, 2004.

  1. Flagstaff

    Flagstaff Guest

    I untaint input from a cgi form in the standard way:

    if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
    else { error_handling ("bad_data", $variable) }

    but when I try to use the rmtree function in File::path I get an error
    that the variable is untainted. Can anyone give me insight here?

    Thanks
    Flagstaff, Jan 3, 2004
    #1
    1. Advertising

  2. Flagstaff

    Flagstaff Guest

    On Fri, 02 Jan 2004 22:01:07 -0500, Flagstaff <> wrote:

    >I untaint input from a cgi form in the standard way:
    >
    > if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
    > else { error_handling ("bad_data", $variable) }
    >
    >but when I try to use the rmtree function in File::path I get an error
    >that the variable is untainted. Can anyone give me insight here?
    >
    >Thanks


    I also get the same error if I try to delete all files in a directory
    .....something like:

    unlink (./*);

    so I think this is related.
    Flagstaff, Jan 4, 2004
    #2
    1. Advertising

  3. Flagstaff wrote:
    > I untaint input from a cgi form in the standard way:
    >
    > if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
    > else { error_handling ("bad_data", $variable) }
    >
    > but when I try to use the rmtree function in File::path I get an
    > error that the variable is untainted. Can anyone give me insight
    > here?


    rmtree() uses the readdir() function, whose output is tainted, and
    since File::path seems to not have any option to be run in taint mode,
    you should probably try some other approach.

    File::Find, that includes an 'untaint' option, might be useful.

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, Jan 4, 2004
    #3
  4. On Sun, 04 Jan 2004 00:09:47 -0500,
    Flagstaff <> wrote:
    > On Fri, 02 Jan 2004 22:01:07 -0500, Flagstaff <> wrote:
    >
    >>I untaint input from a cgi form in the standard way:
    >>
    >> if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
    >> else { error_handling ("bad_data", $variable) }
    >>
    >>but when I try to use the rmtree function in File::path I get an error
    >>that the variable is untainted. Can anyone give me insight here?


    You mean that the variable is tainted, as in an "Insecure dependency"
    error? What is the exact error message, and what exactly is the code
    that triggers it?

    > I also get the same error if I try to delete all files in a directory


    What is that error though?

    > ....something like:
    >
    > unlink (./*);
    >
    > so I think this is related.


    This is a syntax error.

    unlink takes a list of file names to remove. Perl is not shell, so it
    won't automatically replace glob patterns with file names. Even if you
    quoted the above, so it wasn't a syntax error, and wrote:

    unlink ("./*");

    perl would try to unlink the file with the literal name ./*. You
    probably need the glob operation or <>, but you should realise that
    those operations return tainted data, and therefore need to be
    untainted.

    So, if you wrote

    unlink <./*>;

    you would get a message stating that there is an insecure dependency.

    Have you checked whether the variable is tainted, as is suggested in the
    perlsec documentation, and in perl FAQ 7?

    You need to be much more precise and clear next time you report a
    problem.

    Martien
    --
    |
    Martien Verbruggen | Blessed are the Fundamentalists, for they
    | shall inhibit the earth.
    |
    Martien Verbruggen, Jan 4, 2004
    #4
  5. Flagstaff

    Flagstaff Guest

    On Sun, 04 Jan 2004 07:58:37 +0100, Gunnar Hjalmarsson
    <> wrote:

    >Flagstaff wrote:
    >> I untaint input from a cgi form in the standard way:
    >>
    >> if ($variable =~ /^([-_\w\s]+)$/) { $variable = $1 }
    >> else { error_handling ("bad_data", $variable) }
    >>
    >> but when I try to use the rmtree function in File::path I get an
    >> error that the variable is untainted. Can anyone give me insight
    >> here?

    >
    >rmtree() uses the readdir() function, whose output is tainted, and
    >since File::path seems to not have any option to be run in taint mode,
    >you should probably try some other approach.
    >
    >File::Find, that includes an 'untaint' option, might be useful.


    Hey thanks. Is good to know that it is not just some buggy thing in my
    code!
    Flagstaff, Jan 5, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    1,289
  2. Tim Chase
    Replies:
    1
    Views:
    1,419
    Sean DiZazzo
    Jul 13, 2009
  3. Ara.T.Howard

    1.8,frozen, and untaint

    Ara.T.Howard, Sep 25, 2003, in forum: Ruby
    Replies:
    1
    Views:
    86
  4. Chuck Bradley

    using wildcards in rmtree or blog on windows

    Chuck Bradley, Jul 15, 2004, in forum: Perl Misc
    Replies:
    2
    Views:
    236
    Chuck Bradley
    Jul 16, 2004
  5. Tim
    Replies:
    8
    Views:
    162
    Göktuğ Kayaalp
    Jul 30, 2013
Loading...

Share This Page