Having problems with unlink and taint mode.

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Can anyone help me out? I have a CGI script with the following code in it:

$file =~ /^([-\w.]+)$/;
    $file = $1;
$realm =~ /^([-\w.]+)$/;
    $realm = $1;
$user_dir =~ /^([-\w.]+)$/;
    $user_dir = $1;

unlink("/home/httpd/sec-html/$realm/$user_dir/$file");
[download]

Which generates the following error:

Insecure dependency in unlink while running with -T switch at /home/ht
+tpd/sec-cgi/surflo/todd/delete line 47.
[download]

What am I doing wrong? Thanks. -Todd

Comment on Having problems with unlink and taint mode. Select or Download Code

Replies are listed 'Best First'.
Re: Having problems with unlink and taint mode. by chromatic (Archbishop) on Jan 18, 2002 at 10:24 UTC
Throw some ifs in there, cowboy: `if ($file =~ /^([-\w.]+$/) { $file = $1; } else { print "Couldn't untaint \$file!\n"; }` [download] Assuming success won't help -- if it fails, either the taint will persist or you'll get the results of the first capture from the last successful match. (I had to look up the behavior of '.' within a character class, 'cuz I so rarely use it.)	[reply] [d/l]
Re: Having problems with unlink and taint mode. by Anonymous Monk on Jan 18, 2002 at 08:49 UTC
Problem solved! One of the expressions didn't match, which I guess caused a variable not to be un-tainted.	[reply]