in reply to Insecure Dependency in Taint Mode
(Perhaps you should re-read Re: When not to use taint mode.)
Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 187
That's a hint, but not very helpful. So you managed to pass a tainted value to some IO::File method that calls open. In the current version of IO::FIle (v1.48), line 187 is at the end of the IO::File->open() method.
Luckily, the Carp::Always module can help here. I use a simpler example to demonstrate it:
#!/usr/bin/perl -T # This is taint.pl use strict; use warnings; use IO::File; my $fn=$ARGV[0] or die "Missing filename"; my $fh=IO::File->new(); $fh->open($fn,'w') or die "open $fn failed: $!"; $fh->print("This should not happen!");
Note that you need to start perl with the -T flag if it is also in the #! line:
/tmp>perl -T taint.pl /dev/null Insecure dependency in open while running with -T switch at /usr/lib64 +/perl5/IO/File.pm line 184. /tmp>perl -MCarp::Always -T taint.pl /dev/null Insecure dependency in open while running with -T switch at /usr/lib64 +/perl5/IO/File.pm line 184. IO::File::open(IO::File=GLOB(0x1520be8), "/dev/null", "w") cal +led at taint.pl line 10 /tmp>
Now, that's more helpful error message. I messed up line 10 of my test script, passing a tainted $fn to IO::File->open(). 'w' can't be tainted, as it is a constant. Why is $fn tainted? Because it was copied from the tainted list of arguments @ARGV. (In theory, $fh could also be tainted, depending on what IO::File->new() does.)
Update: How to debug CGIs from the command line: Re: Running a CGI script from a command line?
Alexander
|
|---|