Fundamentally, my question is "Why is the output of abs_path tainted?" That is, what are the security risks of trusting the output of abs_path, provided that the input data (the relative path) is untainted?

I'm asking because I call abs_path from the inside of a module (VCI) that I maintain on CPAN. I allow callers to specify a relative path to their repositories, and convert that to an absolute path before passing it to Git, CVS, or Subversion (none of which natively support relative paths).

I'm working on making VCI taint-safe.

Provided that the code I'm using to interact with these VCSes is otherwise safe, what risks would I be exposing my users to if I blindly detainted the output of abs_path inside of VCI?

"Don't allow relative paths" isn't an option, because the test suite needs to use them. Also, it would be a definite inconvenience in general.

-Max

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.