Taint problem with ActiveState

[brian.bygland]

I'm using Perl 5.6.1 on both UNIX (AIX) and Windows 2000. When I
execute the script with the -T taint check on UNIX, it runs fine. The
same script on Windows fails with the error:

C:\Documents and Settings\bxb7668\My Documents\@Junk>perl -T junk3.pl
Insecure dependency in chdir while running with -T switch at
C:/Perl/lib/Cwd.pm line 305.
BEGIN failed--compilation aborted at C:/Perl/lib/FindBin.pm line 166.
Compilation failed in require at junk3.pl line 14.
BEGIN failed--compilation aborted at junk3.pl line 14.

The Cwd.pm module is the same on both platforms. Any idea what is going
on here?

This is my test script, junk3.pl:
#!/usr/bin/perl -w

use strict;

# Untainting stuff:
#
# 1) Untaint PATH
$ENV{PATH} = "";

# 2) Remove the IFS, CDPATH, ENV and BASH_ENV environment variables
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

# Add the VOBTools library location to @INC
use FindBin qw($Bin); # This is line 14
use lib ("${Bin}/perllib","${Bin}/../perllib");
print "$^O \n";

exit 0;

 

[A. Sinan Unur]

(e-mail address removed) wrote in

I'm using Perl 5.6.1 on both UNIX (AIX) and Windows 2000. When I
execute the script with the -T taint check on UNIX, it runs fine. The
same script on Windows fails with the error:

C:\Documents and Settings\bxb7668\My Documents\@Junk>perl -T junk3.pl
Insecure dependency in chdir while running with -T switch at
C:/Perl/lib/Cwd.pm line 305.
BEGIN failed--compilation aborted at C:/Perl/lib/FindBin.pm line 166.
Compilation failed in require at junk3.pl line 14.
BEGIN failed--compilation aborted at junk3.pl line 14.

The Cwd.pm module is the same on both platforms. Any idea what is
going on here?

I have:

C:\Home> perl -MCwd -e "print $Cwd::VERSION"
3.01

C:\Home> perl -v
This is perl, v5.8.6 built for MSWin32-x86-multi-thread

C:\Home> ver

Microsoft Windows XP [Version 5.1.2600]

This is my test script, junk3.pl:
#!/usr/bin/perl -w

use strict;

# Untainting stuff:
#
# 1) Untaint PATH
$ENV{PATH} = "";

# 2) Remove the IFS, CDPATH, ENV and BASH_ENV environment variables
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

# Add the VOBTools library location to @INC
use FindBin qw($Bin); # This is line 14
use lib ("${Bin}/perllib","${Bin}/../perllib");
print "$^O \n";

exit 0;

Running this script produces:

C:\Home> perl -T taint.pl
MSWin32

Sinan.

 

[bxb7668]

Great! Whatever the problem is, it's been fixed. Unfortunately I and
my customers are stuck with 5.6.1 for the time being. We cannot upgrade
until the new version is approved.
Brian

 

[A. Sinan Unur]

Great! Whatever the problem is, it's been fixed. Unfortunately I and
my customers are stuck with 5.6.1 for the time being. We cannot upgrade
until the new version is approved.

Not really.

There is nothing preventing you from downloading

http://search.cpan.org/~kwilliams/PathTools-3.02/

and installing it in a private directory.

If the fact that it is an XS module is a problem for you, a ppd for 5.6
seems to be available from

http://www.bribes.org/perl/ppmdir.html

Sinan.

 

[bxb7668]

(Sorry for not including the context of previous posts. I don't know
how to make Google do that)
I could download and install Perl 5.8.6 if 1) I had administrator
privilege and 2) I wanted to be fired. It is a terminatable offence to
download without permission from the wild web. Besides which my scripts
will be deployed to lots of PCs that would also need the upgrade. I
don't control that.

 

[A. Sinan Unur]

(Sorry for not including the context of previous posts. I don't know
how to make Google do that)
I could download and install Perl 5.8.6 if 1) I had administrator
privilege and 2) I wanted to be fired. It is a terminatable offence to
download without permission from the wild web. Besides which my scripts
will be deployed to lots of PCs that would also need the upgrade. I
don't control that.

You are not listening.

I suggested that you download the new version of Cwd and install it in a
private module directory for you script.

I said nothing about mucking around with the system-wide Perl
installation.

perldoc -q lib


Sinan.

 

[Peroli]

hi brian,

with reference to your script :
####################################
#!/usr/bin/perl -w

use strict;

# Untainting stuff:
#
# 1) Untaint PATH
$ENV{PATH} = "";

# 2) Remove the IFS, CDPATH, ENV and BASH_ENV environment variables
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

# Add the VOBTools library location to @INC
use FindBin qw($Bin); # This is line 14
use lib ("${Bin}/perllib","${Bin}/../perllib");
print "$^O \n";

exit 0;
#####################################
line 14: use FindBin qw($Bin);

$Bin needs to be untainted, like this
$Bin =~ /(.*)/; # give your specific pattern
$Bin = $1;

It will be ok then.

Peroli Sivaprakasam

 

[Michele Dondi]

There is nothing preventing you from downloading

http://search.cpan.org/~kwilliams/PathTools-3.02/

and installing it in a private directory.

If the fact that it is an XS module is a problem for you, a ppd for 5.6
seems to be available from

http://www.bribes.org/perl/ppmdir.html

In reply to which

(Sorry for not including the context of previous posts. I don't know
how to make Google do that)
I could download and install Perl 5.8.6 if 1) I had administrator
privilege and 2) I wanted to be fired. It is a terminatable offence to
download without permission from the wild web. Besides which my scripts
will be deployed to lots of PCs that would also need the upgrade. I
don't control that.

Please note that this is now what has been suggested to you. See
above!


Michele