Win32 taint...shouldn't this fail?

InfiniteSilence has asked for the wisdom of the Perl Monks concerning the following question:

I have run the following code on Win32 using ActiveState perl 5.6.

#!/usr/local/bin/perl -Tw
       use CGI ':standard';
       $file = param('file');
       $comment = param('comment');
       unless ($file) { $file = 'xcanalys.txt'; }
       unless ($comment) { $comment = 'No comment'; }
       open (OUTPUT, ">>./" . $file) or die "$!";
       print OUTPUT $comment . "\n";
       close OUTPUT;
       print header, start_html;
       print "<P>Thanks!</P>\n";       
       print end_html;
1;
[download]

Here is the command line:

perl -T tainttest.pl
(offline mode: enter name=value pairs on standard input)
^Z
[download]

Without untainting the information coming out from param(), this short script appends to the file! Isn't this supposed to fail?

Celebrate Intellectual Diversity

Comment on Win32 taint...shouldn't this fail? Select or Download Code

Replies are listed 'Best First'.
Re: Win32 taint...shouldn't this fail? by nardo (Friar) on Sep 19, 2001 at 21:48 UTC
It looks like you aren't entering in a filename, if that's the case then $file gets its value directly from the script (`$file = 'xcanalys.txt';`) which is why it isn't tainted.	[reply] [d/l]
Re: Win32 taint...shouldn't this fail? by hopes (Friar) on Sep 20, 2001 at 04:08 UTC
Hi, This is what I've found in CGI documentation " ... If a value is not given in the query string, as in the queries ``name1=&name2='' or ``name1&name2'', it will be returned as an empty string. This feature is new in 2.63. ... " So, as you don't give any value to the param 'comment' `$comment = param('comment');` [download] `$comment` will have the empty value ''. Then `unless ($comment) { $comment = 'No comment'; }` will update `$comment` to 'No comment' (An empty value is false, so $comment evaluates to false, an the code is executed) I'm using version 2.36 1997/5/10 8:22 and I can't see any difference in behaviour. I get the same result. Regards Hopes	[reply] [d/l] [select]
Re: Win32 taint...shouldn't this fail? by InfiniteSilence (Curate) on Sep 20, 2001 at 18:02 UTC
Oops, I added the incorrect information as to what I typed in on the command line. I tried it this way as well: `perl -t tainttest.pl (offline mode: enter name=value pairs on standard input) file=foo.txt comment="now" ^Z` [download] This modifies foo.txt with the argument. I tried the same thing on a UNIX box and it failed, as expected. Anybody know any reason why taint checking is not working on the Win32 command line? Celebrate Intellectual Diversity	[reply] [d/l]
Re: Re: Win32 taint...shouldn't this fail? by hopes (Friar) on Sep 21, 2001 at 21:29 UTC
OK, well... In Linux, when you do ^Z (CTRL+Z) you are stopping the current process (and there is no output in the file) To end the tainting, you should make ^D (instead ^Z) I've executed my script in a i386-Linux with Perl v5.6.0 and the output is what you expect. Hope this help hopes	[reply]