Own modules and tainted mode

PeterKaagman has asked for the wisdom of the Perl Monks concerning the following question:

Hi there monks,

The following has been bugging me for some time now. Have not been able to find an awnser on it and made me not use tainted mode while the situation asks for it.

What is the case... Well... Im putting together some website with some Perl AJAX responders. Lazy SOB as I am I allways put functions (like checking the login status of a user) in a module. I learned how to add a module from the current directory:

#! /usr/bin/perl -wT

use strict;
$ENV{PATH} = '';
use File::Basename qw(dirname);
use Cwd qw(abs_path);
use lib qw(.);
use lib dirname(dirname abs_path $0);
use SiteFunctions qw(ValidLogin);
[download]

This works Aok without the -T but break ons the "use SiteFunctions qw(ValidLogin);" with tainted mode enabled (like above). Like so:

pkn@ilak:/home/sites/feedback/cgi-bin$ ./test.pl
Insecure dependency in require while running with -T switch at ./test.
+pl line 13.
BEGIN failed--compilation aborted at ./test.pl line 13.
[download]

I would verry much like to have the tainted mode in effect... any help on this will be appreciated greatly.

Peter

What I see is a compilation error. Isn't tainted mode something which is done at run time?

Comment on Own modules and tainted mode Select or Download Code

Replies are listed 'Best First'.
Re: Own modules and tainted mode by Corion (Patriarch) on May 28, 2018 at 12:15 UTC
Most likely you'll fare better by using an absolute path instead of a relative path: `use lib qw(/home/sites/feedback/cgi-bin);` [download] I think that: `use lib dirname(dirname abs_path $0);` [download] puts a tainted value into `@INC` because `$0` can be under the control of an attacker (through symlinks or hardlinks).	[reply] [d/l] [select]
Re^2: Own modules and tainted mode by haj (Vicar) on May 28, 2018 at 12:25 UTC
Correct: $0 is tainted. `perl -MScalar::Util=tainted -T -e 'print "tainted!\n" if tainted($0)'` [download]	[reply] [d/l]
Re^3: Own modules and tainted mode by PeterKaagman (Beadle) on May 28, 2018 at 13:50 UTC
Suspected $0 to be tainted, so untainted it the quick way `$0 =~ /([\.\/\w]+)/;` [download] and used $1 instead of $0... did not do the trick. I could indeed use an absolute path in the use lib.... but that would make it less portable... it would only work for that location	[reply] [d/l]
Re^4: Own modules and tainted mode by haj (Vicar) on May 28, 2018 at 14:51 UTC
Re^4: Own modules and tainted mode by shmem (Chancellor) on May 28, 2018 at 22:53 UTC
Re: Own modules and tainted mode by haukex (Archbishop) on May 28, 2018 at 16:54 UTC
`use lib qw(.);` [download] I would recommend against this in a production environment, since you probably won't know what the current working directory is, and you don't want to accidentally load modules that happen to be lying around in the cwd. `use File::Basename qw(dirname); use Cwd qw(abs_path); use lib dirname(dirname abs_path $0);` [download] You should be able to shorten this to `use FindBin; use lib $FindBin::Bin;` (see FindBin), although unfortunately that also won't work under taint mode. The problem with relative paths and attempting to figure out the path that the Perl script is located is that an attacker could theoretically fool your Perl script into loading a version of a module with malicious code. So I agree with Corion that you're probably better off just using an absolute pathname. If you need your scripts to be portable, you could consider other methods, like configuration files at known locations.	[reply] [d/l] [select]