in reply to Re: Insecure dependency
in thread Insecure dependency

Your inclusion of '\s' and more importantly '\/' (shell path separator) in your laundering regular expression still leaves your data tainted as per the perlsec documentation.

Er, no. I think you need to re-read perlsec yourself. Here's an interesting section:

The only way to bypass the tainting mechanism is by referencing subpatterns from a regular expression match. Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern.

What this means is that Perl makes no value judgement whatsoever on the quality of your untainting regex. You can untaint data by passing it through any regex. Even this:

if ($data =~ /(.*)/) {
  $data = $1;
}

[download]

Of course you shouldn't ever do that, because, as perlsec goes on to say:

That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism.

The errors that hotshot is getting are purely because rmtree calls external programs (unlink or rmdir) and you can't do that in taint mode without setting $ENV{PATH} to a known value.

--
<http://www.dave.org.uk>

"The first rule of Perl club is you don't talk about Perl club."

Replies are listed 'Best First'.
Re: Re: Re: Insecure dependency
by hotshot (Prior) on Nov 19, 2001 at 22:28 UTC
    I tried doing everything you said: used the laundry exactly as on the perlsec, added $ENV{PATH} = '/bin:/usr/bin' and nothing helped. all I managed to understand is that I get the 'Insecure dependency...' message only when I try to preform 'rmtree' on a non empty directory, I even tried to use 'chroot', but got the same result.

    help me please

    Hotshot
[reply]

In Section Seekers of Perl Wisdom