Re: How to safely define a CGI program's application base directory

Just use the standard laundering technique (see perlsec):

my $app_base = $ENV{AppBase};
if ($app_base =~ m{^(/var/www/[^/]+)$}) {
    $app_base = $1; # $app_base no longer tainted.
}
my $logfile = catdir($app_base, 'mylogfile');
[download]

لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ

Comment on Re: How to safely define a CGI program's application base directory Download Code

Replies are listed 'Best First'.
Re^2: How to safely define a CGI program's application base directory by ddmiller (Initiate) on Feb 10, 2013 at 21:47 UTC
Thank you for taking time to reply. That might work in some environments, but it assumes that all of the servers use the same path prefix (/var/www). I don't believe that's true in our case. I suppose I could include a note in the installation instructions that the application name must be the final directory element in the AppBAse environment variable. Then I could use a regular expression something like this: `m{^(/.+/MyApp/)$}` [download] That should be sufficient to satisfy the untainting requirement, but I'm not sure whether it really makes the value "safe". Thanks again for responding so quickly.	[reply] [d/l]
Re^3: How to safely define a CGI program's application base directory by choroba (Cardinal) on Feb 10, 2013 at 22:37 UTC
What threat are you trying to avoid? It is upon you to tell what is safe. If you know there are three possible values, you can try something like `m{^(/path1\|/path2\|/path3)/MyApp$}` [download] Someone can still tweak the config to point to a wrong path (valid for a different server). You can even include other conditions into the `if`, not only the single match. لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ	[reply] [d/l] [select]