Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Perl Misc (http://www.velocityreviews.com/forums/f67-perl-misc.html)
-   -   Perl Taint issue (http://www.velocityreviews.com/forums/t884871-perl-taint-issue.html)

Mark J Fenbers 01-28-2004 06:02 PM
Perl Taint issue
 
Consider this stripped-down Perl script:

#!/usr/bin/perl -w -T
use strict;

foreach $file ( <ahps.dat.???> ) {
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}

I get a taint dependency error on the "open" statement. The "perlsec" man page
says this is a tainted situation (and I understand why), but it offers little
advice of how to get around it. In the unstripped program, given filenames such
as "ahps.dat.cle", I want to read in data from the file, modify the data, and
write the altered data back out to a file called "ahps.dat.cle.new" for human
examination... but it won't let me do this with "-T" unless I hardwire the
output filename (which isn't a reasonable solution).

Any ideas to get around this?

Mark

gnari 01-28-2004 06:28 PM
Re: Perl Taint issue
 
"Mark J Fenbers" <Mark.Fenbers@noaa.gov> wrote in message
news:4017F94B.595AF7A@noaa.gov...
> Consider this stripped-down Perl script:
>
> #!/usr/bin/perl -w -T
> use strict;
>
> foreach $file ( <ahps.dat.???> ) {
> open(OUT, ">$file.new") or die "message...";
> # do stuff;
> close OUT;
> }
>
> I get a taint dependency error on the "open" statement. The "perlsec" man
page
> says this is a tainted situation (and I understand why), but it offers
little
> advice of how to get around it. In the unstripped program, given
filenames such
> as "ahps.dat.cle", I want to read in data from the file, modify the data,
and
> write the altered data back out to a file called "ahps.dat.cle.new" for
human
> examination... but it won't let me do this with "-T" unless I hardwire the
> output filename (which isn't a reasonable solution).
>
> Any ideas to get around this?

doesn't the usual work?
if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
my $newfile="$1.new";
# do stuff
}

gnari

Walter Roberson 01-28-2004 07:03 PM
Re: Perl Taint issue
 
In article <4017F94B.595AF7A@noaa.gov>,
Mark J Fenbers <Mark.Fenbers@noaa.gov> wrote:
:Consider this stripped-down Perl script:

:#!/usr/bin/perl -w -T
:use strict;

:foreach $file ( <ahps.dat.???> ) {
: open(OUT, ">$file.new") or die "message...";
: # do stuff;
: close OUT;
:}

:I get a taint dependency error on the "open" statement. The "perlsec" man page
:says this is a tainted situation (and I understand why), but it offers little
:advice of how to get around it.

Use the standard de-tainting idiom:

#!/usr/bin/perl -w -T
use warnings;
use strict;

foreach my $taintedfile ( <ahps.dat.??> ) {
my $file = $taintedfile =~ m/^(.*)$/;
open(OUT, ">$file.new") or die "message...";
# do stuff;
close OUT;
}
--
"[...] it's all part of one's right to be publicly stupid." -- Dave Smey

Gunnar Hjalmarsson 01-28-2004 07:36 PM
Re: Perl Taint issue
 
Walter Roberson wrote:
> Use the standard de-tainting idiom:
>
> #!/usr/bin/perl -w -T
> use warnings;
> use strict;
>
> foreach my $taintedfile ( <ahps.dat.??> ) {
> my $file = $taintedfile =~ m/^(.*)$/;
-------^^^^^----------------------^^^^

What's standard about that buggy code?

First, if you consider /^(.*)$/ to be "standard" for untainting, you
can as well just remove the -T switch. Please study

http://www.perldoc.com/perl5.8.0/pod/perlsec.html

for some advice on how it should be done.

Second, $file in the above code will be assigned the number 1, i.e.
the return value of the match in scalar context.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Mark J Fenbers 01-28-2004 08:30 PM
Re: Perl Taint issue
 
Yes, this works! Thank you!
Mark

gnari wrote:

> "Mark J Fenbers" <Mark.Fenbers@noaa.gov> wrote in message
> news:4017F94B.595AF7A@noaa.gov...
> > Consider this stripped-down Perl script:
> >
> > #!/usr/bin/perl -w -T
> > use strict;
> >
> > foreach $file ( <ahps.dat.???> ) {
> > open(OUT, ">$file.new") or die "message...";
> > # do stuff;
> > close OUT;
> > }
> >
> > I get a taint dependency error on the "open" statement. The "perlsec" man
> page
> > says this is a tainted situation (and I understand why), but it offers
> little
> > advice of how to get around it. In the unstripped program, given
> filenames such
> > as "ahps.dat.cle", I want to read in data from the file, modify the data,
> and
> > write the altered data back out to a file called "ahps.dat.cle.new" for
> human
> > examination... but it won't let me do this with "-T" unless I hardwire the
> > output filename (which isn't a reasonable solution).
> >
> > Any ideas to get around this?
>
> doesn't the usual work?
> if ($file=~/(^ahps\.dat\.[a-z]{3})$/) { # for example
> my $newfile="$1.new";
> # do stuff
> }
>
> gnari


All times are GMT. The time now is 04:59 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.