Re: Revisiting Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542

I cannot reproduce your problem. The code you posted simply does not work. I added some required lines:

#!/usr/bin/perl -T

use strict;
use warnings;
use File::Spec;
use File::Temp qw( tempdir );

my $pathdir = $ENV{HOME};
(-d $pathdir) and File::Spec->file_name_is_absolute($pathdir);
my $workdir = tempdir("temp.XXXXXX", DIR => "log");
[download]

Running that with taint mode, i.e. perl -T perlmonks.pl, creates the following error:

$ perl -T perlmonks.pl
Error in tempdir() using log/temp.XXXXXX: Parent directory (log) does 
+not exist at perlmonks.pl line 10.
$
[download]

After creating the missing directory, there are no more errors or warnings:

$ mkdir log
$ perl -T perlmonks.pl
$
[download]

Please post a Short, Self-Contained, Correct Example.

Generally, taint errors indicate that you have used data from outside Perl (i.e. environment, command line parameters, file contents) without a formal validation. See Re: When not to use taint mode for what taint mode actually does. It is pretty simple, not much more than a flag on a value that is hard to remove, "infects" other values with most operations, and causes a crash when a flagged ("tainted") value passed to selected functions.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Comment on Re: Revisiting Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 Select or Download Code

Replies are listed 'Best First'.
Re^2: Revisiting Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542 by sidney (Acolyte) on Apr 21, 2024 at 23:10 UTC
Alexander - I quoted just the most relevant lines of code. The link I posted to the failing test report shows it failing. As I meant to imply, the test `t/a1.t` in that module is the Short, Self-Contained, Correct Example of the problem, the other test files add monkey patches to try to diagnose where the taint happens. Like you, I cannot reproduce the error myself, it only happens on certain CPAN test machines and not on any attempt I've made to create a VM with the same OS and perl versions. As I said, my tests run with `./log` already existing in the environment. When `./log` exists, correct behavior is no error. Without `./log` correct behavior is the directory does not exist error. My test module has the log directory in the MANIFEST so that the only failures on CPAN are due to the bug. I think I understand what taint mode does. The monkey patched test in `t/a4.t` shows that untainted data is being passed to `File::Spec::Unix->canonpath` whose source code does not make use of any external data, and the return value from that function call is tainted. When I try to monkeypatch canonpath the error does not happen even on the relevant CPAN test machines. It's a heisenbug. Hence the mystery I am asking about.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Revisiting Insecure dependency in mkdir while running with -T switch at ... File/Temp.pm line 542
by sidney (Acolyte) on Apr 21, 2024 at 23:10 UTC

t/a1.t

Short, Self-Contained, Correct Example

./log

t/a4.t

File::Spec::Unix->canonpath

[reply]
[d/l]
[select]