Probably one of the components of the filename passed as an argument to open is tainted. Untaint it (carefully) and it should work; if it doesn't, post your open statement, and the statements that assigned to any variables that are used in the open string. Or better yet, create a minimal test case, which will probably help you in figuring out what's going on. You can use Scalar::Util::tainted to see what's getting tainted, and you should probably also read perlsec to understand what rules Perl enforces when running in taint mode.

As others have mentioned, Perl automatically runs in taint mode when it is setuid or setgid. That is almost always the right thing to do, but if you don't like it, you can always recompile your copy of Perl with that code commented out. You could also blindly untaint all of your data, run your program under sudo instead of making it setgid, or write a wrapper program which sets up the GIDs then exec's a copy of the real program, which if you're careful will not be running in taint mode.


--
sgifford's Web page

In reply to Re: Insecure dependency in open by sgifford
in thread Insecure dependency in open by argv

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.