Mighty Monks,
I have been looking at a CMS that builds a filepath to a template based on a base directory path (from config), a relative page path (a query parameter), an optional directory path (a query parameter). and finally a template extension (from config).
The resulting file path is executed with "do EXPR".
As neither of the query parameters were untainted, I had trouble running the calling cgi script in taint mode. So I added the untainting regexes which you can see in the code block below. And the code now successfully runs in taint mode.
My questions:
I appreciate all advice/criticism on coding style etc.
sub load { my $self = shift; my $conf = $self->conf; my $query = $self->query; my @tainted_dirs = File::Spec->splitdir( $query->{dir} ); my ($tainted_page_volume,$tainted_page_path,$tainted_page_file) = +File::Spec->splitpath( $query->{page} ); my @tainted_page_dirs = File::Spec->splitdir( $tainted_page_path ) +; no locale; # untaint dir my @untainted_dirs; foreach (@tainted_dirs) { if (m/^([\w.-]+)$/) { push (@untainted_dirs, "$1") ; } elsif ($_) { croak ("TAINTED DIR PARAM: $_: $!"); } } my @untainted_page_dirs; foreach (@tainted_page_dirs) { if (m/^([\w.-]+)$/) { push (@untainted_page_dirs, "$1") ; } elsif ($_) { croak ("TAINTED PAGE DIR PARAM: $_: $!"); } } my $untainted_page_file; if ($tainted_page_file and $tainted_page_file=~ m/^([\w.-]+)$/) { $untainted_page_file = $1; } else { croak ("TAINTED PAGE FILE PARAM: $tainted_page_file: $!"); } my $template_file = File::Spec->catfile( $conf->{templates}, @untainted_dirs, @untainted_page_dirs, $untainted_page_file . $conf->{template_extension}, ); my $template = do $template_file or croak "Failed to load template file [$template_file] ($!) ( +$@)"; return $self->template( $template ); }
In reply to security and un-tainting paths by wrinkles
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |