hotshot has asked for the wisdom of the Perl Monks concerning the following question:

Hi

I used the rmtree function of the File::Path module and got 'Insecure dependency in unlink while runing as setuid at /usr/lib/perl5/5.6.1/File/Path line 233' even though I laundered the path name I sent to rmtree. do you have a suggestion why did it happen?
my launder code is : 
if ($path =~ /^([-\@\w.\/\s]+)$/) {
   $path = $1;
} else {
   die "Bad path in $path";
}

[download]
and about cleaning the path, I never had to do this before with perl functions (always with system commands), does something like the followings is good ?: 
$ENV{PATH} = '/usr/lib/perl5/5.6.1/File/';

[download]
thanks

Replies are listed 'Best First'.
Re: Insecure dependency
by davorg (Chancellor) on Nov 19, 2001 at 17:46 UTC

    rmtree uses either rmdir or unlink to actually do the removal. Therefore in taint mode, you need to set the path to a known value before calling it.

    You seem to have the right idea. I'd do something like

    $ENV{PATH} = '/bin:/usr/bin';

    [download]
    --
    <http://www.dave.org.uk>

    "The first rule of Perl club is you don't talk about Perl club."

[reply]
[d/l]
Re: Insecure dependency
by rob_au (Abbot) on Nov 19, 2001 at 17:41 UTC
    As I pointed out in this post in your other thread here, you have not correctly laundered your variable - Your inclusion of '\s' and more importantly '\/' (shell path separator) in your laundering regular expression still leaves your data tainted as per the perlsec documentation. It is because of this that you are still getting this error.

    Also as pointed out in my other post, information on cleaning up your PATH environment variable can be found in the perlsec documentation page.

    Have a read through my other post in the other thread and more importantly the perlsec documentation.

    Update - As per davorg's comments below, whose comments regarding the environment were echoed in the previous thread with links to perlsec documentation.

     

    Ooohhh, Rob no beer function well without!

[reply]
[d/l]
[select]
      Your inclusion of '\s' and more importantly '\/' (shell path separator) in your laundering regular expression still leaves your data tainted as per the perlsec documentation.

      Er, no. I think you need to re-read perlsec yourself. Here's an interesting section:

      The only way to bypass the tainting mechanism is by referencing subpatterns from a regular expression match. Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.

      What this means is that Perl makes no value judgement whatsoever on the quality of your untainting regex. You can untaint data by passing it through any regex. Even this:

      if ($data =~ /(.*)/) {
  $data = $1;
}

      [download]

      Of course you shouldn't ever do that, because, as perlsec goes on to say:

      That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism.

      The errors that hotshot is getting are purely because rmtree calls external programs (unlink or rmdir) and you can't do that in taint mode without setting $ENV{PATH} to a known value.

      --
      <http://www.dave.org.uk>

      "The first rule of Perl club is you don't talk about Perl club."

[reply]
[d/l]
        I tried doing everything you said: used the laundry exactly as on the perlsec, added $ENV{PATH} = '/bin:/usr/bin' and nothing helped. all I managed to understand is that I get the 'Insecure dependency...' message only when I try to preform 'rmtree' on a non empty directory, I even tried to use 'chroot', but got the same result.

        help me please

        Hotshot
[reply]

Back to Seekers of Perl Wisdom