Use of CGI.pm filehandle with File::Copy::copy in taint mode

Discussion in 'Perl Misc' started by raw.com@gmail.com, May 5, 2006.

  1. Guest

    I have a simple upload script that uses the (Fh) filehandles returned
    by CGI::upload() in a call to File::Copy::copy(). Works fine without
    taint mode turned on. Under -t I get:

    Insecure dependency in open while running with -T switch at
    C:/Perl/lib/File/Copy.pm line 133

    That line is, indeed, the call to open().

    Untainting my filehandle (using IO::Handle::untaint(*{$fh}{IO}), which
    returns 0, indicating "success") does not do the trick.

    In the debugger, using this as a taint-check:

    sub is_tainted
    {
    return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
    }

    I see that my filehandles remain tainted even after the call to
    IO::Handle:untaint().

    Other postings I've read suggest that these filehandles do not need to
    be untainted.

    Any suggestions?

    Cheers,
    Richard

    --
    -- Richard A. Wells,
    -- Reality And Wonder, http://www.raw.com/
    , May 5, 2006
    #1
    1. Advertising

  2. wrote:
    > I have a simple upload script that uses the (Fh) filehandles returned
    > by CGI::upload() in a call to File::Copy::copy(). Works fine without
    > taint mode turned on. Under -t I get:
    >
    > Insecure dependency in open while running with -T switch at
    > C:/Perl/lib/File/Copy.pm line 133
    >
    > That line is, indeed, the call to open().
    >
    > Untainting my filehandle (using IO::Handle::untaint(*{$fh}{IO}), which
    > returns 0, indicating "success") does not do the trick.
    >
    > In the debugger, using this as a taint-check:
    >
    > sub is_tainted
    > {
    > return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
    > }
    >
    > I see that my filehandles remain tainted even after the call to
    > IO::Handle:untaint().
    >
    > Other postings I've read suggest that these filehandles do not need to
    > be untainted.
    >
    > Any suggestions?


    Try CGI::UploadEasy. It uses another approach, but it's taint safe.

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, May 7, 2006
    #2
    1. Advertising

  3. Guest

    Thanks, Gunnary. I installed your module (CGI::UploadEasy) and read
    through it and, of course, I'd reinvented a lot of what you already do
    there. However, I still won't be able to use your module directly, as
    I get the uploaded filenames from another place, not from the filenames
    associated with the uploaded file parameters. Additionally, I need to
    control the set of allowable content-types.

    However, when I saw that you take no specific action to untaint the
    CGI::upload()-returned filehandles I went back to trying my code in the
    debugger and I see that the error from File::Copy::copy referred not to
    the filehandle arg but to the destination arg, which is a string
    filename. Indeed, I'd forgotten to untaint that value, which came in
    part from a different CGI::param().

    Once I fixed that I was able to run with taint-checking and, in fact,
    remove the use of IO::Handle::untaint() completely.

    Cheers,
    Richard

    --
    -- Richard A. Wells,
    -- Reality And Wonder, http://www.raw.com/
    , May 10, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Johann C. Rocholl

    Taint (like in Perl) as a Python module: taint.py

    Johann C. Rocholl, Feb 5, 2007, in forum: Python
    Replies:
    5
    Views:
    468
    Johann C. Rocholl
    Feb 6, 2007
  2. sekdab

    Taint Mode Newbie Help

    sekdab, Jul 19, 2003, in forum: Perl Misc
    Replies:
    2
    Views:
    127
    sekdab
    Jul 19, 2003
  3. Louis Erickson
    Replies:
    2
    Views:
    202
    James Willmore
    Sep 3, 2003
  4. Ben
    Replies:
    17
    Views:
    226
  5. Dave Saville

    Find::File and taint mode

    Dave Saville, Nov 18, 2003, in forum: Perl Misc
    Replies:
    5
    Views:
    130
    Ben Morrow
    Nov 18, 2003
Loading...

Share This Page