Perl Taint issue

[Mark J Fenbers]

Consider this stripped-down Perl script:

#!/usr/bin/perl -w -T
use strict;

foreach $file ( <ahps.dat.???> ) {
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}

I get a taint dependency error on the "open" statement. The "perlsec" man page
says this is a tainted situation (and I understand why), but it offers little
advice of how to get around it. In the unstripped program, given filenames such
as "ahps.dat.cle", I want to read in data from the file, modify the data, and
write the altered data back out to a file called "ahps.dat.cle.new" for human
examination... but it won't let me do this with "-T" unless I hardwire the
output filename (which isn't a reasonable solution).

Any ideas to get around this?

Mark

 

[gnari]

Consider this stripped-down Perl script:

#!/usr/bin/perl -w -T
use strict;

foreach $file ( <ahps.dat.???> ) {
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}

I get a taint dependency error on the "open" statement. The "perlsec" man page
says this is a tainted situation (and I understand why), but it offers little
advice of how to get around it. In the unstripped program, given filenames such
as "ahps.dat.cle", I want to read in data from the file, modify the data, and
write the altered data back out to a file called "ahps.dat.cle.new" for human
examination... but it won't let me do this with "-T" unless I hardwire the
output filename (which isn't a reasonable solution).

Any ideas to get around this?

doesn't the usual work?
if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
my $newfile="$1.new";
# do stuff
}

gnari

 

[Walter Roberson]

:#!/usr/bin/perl -w -T
:use strict;

:foreach $file ( <ahps.dat.???> ) {
: open(OUT, ">$file.new") or die "message...";
: # do stuff;
: close OUT;
:}

:I get a taint dependency error on the "open" statement. The "perlsec" man page
:says this is a tainted situation (and I understand why), but it offers little
:advice of how to get around it.

Use the standard de-tainting idiom:

#!/usr/bin/perl -w -T
use warnings;
use strict;

foreach my $taintedfile ( <ahps.dat.??> ) {
my $file = $taintedfile =~ m/^(.*)$/;
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}

 

[Gunnar Hjalmarsson]

Use the standard de-tainting idiom:

#!/usr/bin/perl -w -T
use warnings;
use strict;

foreach my $taintedfile ( <ahps.dat.??> ) {
my $file = $taintedfile =~ m/^(.*)$/;

-------^^^^^----------------------^^^^

What's standard about that buggy code?

First, if you consider /^(.*)$/ to be "standard" for untainting, you
can as well just remove the -T switch. Please study

http://www.perldoc.com/perl5.8.0/pod/perlsec.html

for some advice on how it should be done.

Second, $file in the above code will be assigned the number 1, i.e.
the return value of the match in scalar context.

 

[Mark J Fenbers]

Yes, this works! Thank you!
Mark

Consider this stripped-down Perl script:

#!/usr/bin/perl -w -T
use strict;

foreach $file ( <ahps.dat.???> ) {
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}

I get a taint dependency error on the "open" statement. The "perlsec" man page
says this is a tainted situation (and I understand why), but it offers little
advice of how to get around it. In the unstripped program, given filenames such
as "ahps.dat.cle", I want to read in data from the file, modify the data, and
write the altered data back out to a file called "ahps.dat.cle.new" for human
examination... but it won't let me do this with "-T" unless I hardwire the
output filename (which isn't a reasonable solution).

Any ideas to get around this?

doesn't the usual work?
if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
my $newfile="$1.new";
# do stuff
}

gnari