I've recently come across a 'Insecure dependency in chdir while running setuid' problem (again). The source of the thorn comes from the File::Path rmtree() function.

File::Path uses the following code to untaint directory reads: 
$entry =~ /^(.*)$/s; $entry = $1; # untaint

[download]
But it appears this isn't sufficient. To fully untaint the path, the code needs to match/assign from different variables more like: 
$_ = $entry; ($entry) = /^(.*)$/s; # result and source are different

[download]
Hopefully someday, File::Path will be corrected. But in the mean time, my application (which has properly untainted the directory name in the first place) can't call rmtree() without bombing.

My options as I see it are to either:
(a) patch File::Path (don't want to touch external code)
(b) copy the rmtree() code into my application and fix it there (may as well not use the module at all)
(c) turn off taint checking in my application when ever I call rmtree() (this doesn't work).

Option (c) seems the least obtrusive but taint checking alone doesn't seem to be the cure. Are there any other ways to get around this?

In reply to inconsistency in untaint by ruzam

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.