Taint error on file upload

Sanjay has asked for the wisdom of the Perl Monks concerning the following question:

Perl CGI giving error while using Taint when uploading a file:

Insecure dependency in sysopen while running with -T switch at C:/Perl/site/lib/File/Temp.pm line 512.

Script works fine when Taint is not used in the shebang line. Error when Taint is on.

#!C:/Perl/bin/perl.EXE -wT

# CGI program to check Taint problem while uploading file. It prompts
# for the of the file to be uploaded and displays the name of the
# uploaded file.

# Tested in:
# OS Windows-7 32 bit, Perl 5.22.3, Apache 2.2
# OS WindowsServer-2012 64 bit, Perl 5.24.2, Apache 2.4.20
# OS Centos-6.10 64 bit, Perl 5.26.1, Apache 2.2.15

use strict; use warnings;
use CGI;
use CGI::Carp qw (fatalsToBrowser warningsToBrowser);

my $q = new CGI;

my $p_upl_new_file = $q->param ("p_upl_new_file") || '';

&sPrintForm; exit;

###################################################################

sub sPrintForm {

  print $q->header ();
  print $q->start_html ();
  print $q->start_form ({-name => "form1"});
  print $q->h1 ({-align => "center"} , "File Upload Test");
  print "<br><br>";
  print $q->filefield (-name => 'p_upl_new_file');
  print "<br><br>";
  print $q->submit (-name => "action_submit" , -value => "Submit");
  print "<br><br>";
  print "File name $p_upl_new_file";
  print $q->end_form;
  print $q->end_html;

}
# END #############################################################
[download]

Comment on Taint error on file upload Download Code

Replies are listed 'Best First'.
Re: Taint error on file upload by poj (Abbot) on Oct 16, 2018 at 15:52 UTC
See the reply regarding temp directory from ikegami to Stackoverflow question here poj	[reply]
Re: Taint error on file upload by 3dbc (Monk) on Oct 16, 2018 at 15:40 UTC
Taint Alternatives on Windows seems like an interesting read. Did a search on google "shebang windows not used perl taint" - 3dbc	[reply]
Re: Taint error on file upload by Anonymous Monk on Oct 19, 2018 at 00:48 UTC
Hi, If you're going to turn on taint, you need to read perlsec, and sanitize %ENV	[reply]
Re: Taint error on file upload by Sanjay (Sexton) on Nov 30, 2018 at 16:53 UTC
Sorry Monks! Read all the links & their further links to no avail. Can someone post a few correcting lines of code. Usually I also dislike spoon feeding, but unable to proceed. Thanks. And apologies again. 2018-12-01 Athanasius restored contents	[reply]
Re^2: Taint error on file upload by Anonymous Monk on Dec 01, 2018 at 02:07 UTC
%ENV is tainted, meaning $ENV{TEMP} and what not is tainted ... `$ perl -Te "$f=$ENV{TEMP}.q{/junk}; open my($fh), q{>}, $f; " Insecure dependency in open while running with -T switch at -e line 1.` [download] In your program write `$ENV{TEMP}='...';` or untaint the other way	[reply] [d/l] [select]