I have a (relatively) simple script which checks a directory every few seconds for any files. If a file is there, it checks to make sure its name matches the format we're looking for (something like foo.bar.baz.xml). If it does match, the file gets processed. If it doesn't match, the file is to be moved to a different directory for later inspection.

The challenge I'm facing is that I need to untaint the 'bad' filename before I'm allowed to move it (actually rename, which in this case moves the file). Well, since it's a 'bad' file, I'm not sure what its name looks like. In fact that's about the only thing I know about the filename, that it doesn't match what I'm looking for.

So, what is the best practice here? Should I just match anything (ie. $filename=~/^(.+)$/; $file=$1;), or maybe turn taint checks off for that little bit of the script which moves the file (is that even possible, since taint checks are enabled from the command line)? Matching everything raises a big old red flag in my head, but I don't really see any other way around it.

I should mention that by the time the script gets to this point, I've performed at least a couple of tests on the file (ie. -f $filename) to determine that it does look like a file to the system. So that may limit my vulnerability. Lemme know.

The one thing I'm sure of is that I'd like that directory empty before it gets checked again.

Thanks for any insights.
db

In reply to Untainting 'bad' filenames by doran

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.