Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Find::File and taint mode

Reply
Thread Tools

Find::File and taint mode

 
 
Dave Saville
Guest
Posts: n/a
 
      11-18-2003
I have a cgi script that uses File::Find.

find(\&wanted, 'D:/Apps/SouthSide/PMMail');

I am getting:

Insecure dependency in chdir while running with -T switch at
D:/usr/lib/perl/lib
/5.8.0/File/Find.pm line 807.

How can I get around this?

TIA

Regards

Dave Saville

NB switch saville for nospam in address


 
Reply With Quote
 
 
 
 
Gunnar Hjalmarsson
Guest
Posts: n/a
 
      11-18-2003
Dave Saville wrote:
> I have a cgi script that uses File::Find.
>
> find(\&wanted, 'D:/Apps/SouthSide/PMMail');
>
> I am getting:
>
> Insecure dependency in chdir while running with -T switch at
> D:/usr/lib/perl/lib
> /5.8.0/File/Find.pm line 807.
>
> How can I get around this?


By using the 'untaint' option. See the File::Find docs.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

 
Reply With Quote
 
 
 
 
Ben Morrow
Guest
Posts: n/a
 
      11-18-2003

Gunnar Hjalmarsson <(E-Mail Removed)> wrote:
> Dave Saville wrote:
> > I have a cgi script that uses File::Find.
> >
> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
> >
> > I am getting:
> >
> > Insecure dependency in chdir while running with -T switch at
> > D:/usr/lib/perl/lib
> > /5.8.0/File/Find.pm line 807.
> >
> > How can I get around this?

>
> By using the 'untaint' option. See the File::Find docs.


You could also use the 'no_chdir' option, which may or may not be
safer...

Ben

--
perl -e'print map {/.(.)/s} sort unpack "a2"x26, pack "N"x13,
qw/1632265075 1651865445 1685354798 1696626283 1752131169 1769237618
1801808488 1830841936 1886550130 1914728293 1936225377 1969451372
2047502190/' # http://www.velocityreviews.com/forums/(E-Mail Removed)
 
Reply With Quote
 
Dave Saville
Guest
Posts: n/a
 
      11-18-2003
On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:

>
>Gunnar Hjalmarsson <(E-Mail Removed)> wrote:
>> Dave Saville wrote:
>> > I have a cgi script that uses File::Find.
>> >
>> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
>> >
>> > I am getting:
>> >
>> > Insecure dependency in chdir while running with -T switch at
>> > D:/usr/lib/perl/lib
>> > /5.8.0/File/Find.pm line 807.
>> >
>> > How can I get around this?

>>
>> By using the 'untaint' option. See the File::Find docs.

>
>You could also use the 'no_chdir' option, which may or may not be
>safer...


Thanks - but File: Find is so S L O W I am going to have to rethink it
anyway.

Regards

Dave Saville

NB switch saville for nospam in address


 
Reply With Quote
 
Dave Saville
Guest
Posts: n/a
 
      11-18-2003
On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:

>
>Gunnar Hjalmarsson <(E-Mail Removed)> wrote:
>> Dave Saville wrote:
>> > I have a cgi script that uses File::Find.
>> >
>> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
>> >
>> > I am getting:
>> >
>> > Insecure dependency in chdir while running with -T switch at
>> > D:/usr/lib/perl/lib
>> > /5.8.0/File/Find.pm line 807.
>> >
>> > How can I get around this?

>>
>> By using the 'untaint' option. See the File::Find docs.


What I don't understand is why perl thinks it is tainted - all I am
passing is a quoted string.

Regards

Dave Saville

NB switch saville for nospam in address


 
Reply With Quote
 
Ben Morrow
Guest
Posts: n/a
 
      11-18-2003
"Dave Saville" <(E-Mail Removed)> wrote:
> On Tue, 18 Nov 2003 20:32:04 +0000 (UTC), Ben Morrow wrote:
> >Gunnar Hjalmarsson <(E-Mail Removed)> wrote:
> >> Dave Saville wrote:
> >> > I have a cgi script that uses File::Find.
> >> >
> >> > find(\&wanted, 'D:/Apps/SouthSide/PMMail');
> >> >
> >> > I am getting:
> >> >
> >> > Insecure dependency in chdir while running with -T switch at

>
> What I don't understand is why perl thinks it is tainted - all I am
> passing is a quoted string.


It's not that that's tainted: that string's fine. It's the next set of
strings: the list of directories in PMMail to recurse into. Since
those names have come from readdir, which brings data in from outside
the program, they're tainted. If you are *quite* sure that noone
untrusted can affect the names of those directories, then it is safe
to use the 'untaint' option.

Ben

--
It will be seen that the Erwhonians are a meek and long-suffering people,
easily led by the nose, and quick to offer up common sense at the shrine of
logic, when a philosopher convinces them that their institutions are not based
on the strictest morality. [Samuel Butler, paraphrased] (E-Mail Removed)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Taint (like in Perl) as a Python module: taint.py Johann C. Rocholl Python 5 02-06-2007 09:37 AM
taint mode and require using "." Asterbing Perl Misc 9 04-10-2006 02:09 AM
Taint mode and PERL5LIB kj Perl Misc 9 06-14-2004 08:24 PM
Taint - having some real trouble here, taint/perl experts, please help Ben Perl Misc 17 10-24-2003 12:22 PM
Problem with Date::Manip, taint mode, and CGI::Carp. Louis Erickson Perl Misc 2 09-03-2003 02:02 AM



Advertisments