Untainting backtick command data

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I've written a script that works fine with -T, but when i use a backtick command, perl starts to complain. I've tried to untaint this data, but haven't succeeded. Can anyone help me?? I used a simple regex just to check, but it won't help.

my $_suffix = `rsh fs3cm -l ccmroot "/home/ccm_root/bin/UpdateSettings
+New.pl -r 62 -d $dbname"`;
if ($_suffix =~ /(.+\s+.+\s+.+)/)  # Untaint the scalar
{
  $suffix = $1;  # Pass the value to this scalar if successfully untai
+nted
}
else  # Otherwise exit the program with error message
{
  $message = 'The remote shell command produced an error in this scrip
+t.';
  &display_page($message);  # Create an HTML-page to display the messa
+ge
  exit;
}

$message = "Database added to $file";
&display_page($message);
exit;
[download]

Perl doesn't like the first line, even if i untaint the $_suffix variable. Thanx a zillion...

Comment on Untainting backtick command data Download Code

Replies are listed 'Best First'.
Re: Untainting backtick command data by eserte (Deacon) on May 18, 2004 at 11:55 UTC
Is $dbname safe? Is your PATH safe? What's the exact error message? Did you try "use diagnostics"?	[reply]
Re: Re: Untainting backtick command data by OpelSpeed (Initiate) on May 18, 2004 at 13:07 UTC
All other scalars are safe. They were successfully untainted. I guess it should be $ENV{PATH} then. I'm just a beginner so I didn't even bother with this one. How can I untaint it??	[reply]
Re: Re: Re: Untainting backtick command data by Tomte (Priest) on May 18, 2004 at 13:11 UTC
1. by setting it to a fixed value `$ENV{PATH}="/path/part/one:/path/part/two";` [download] 2. by un-setting it and calling the external prog directly: $ENV{PATH}=''; `/usr/bin/rsh ...`; [download] regards, tomte An intellectual is someone whose mind watches itself. -- Albert Camus	[reply] [d/l] [select]
Re: Re: Re: Re: Untainting backtick command data by OpelSpeed (Initiate) on May 19, 2004 at 09:04 UTC
Re: Untainting backtick command data by Sidhekin (Priest) on May 18, 2004 at 11:59 UTC
I haven't tried your code, but since you are using the shell to find the rsh command, `$ENV{PATH}` needs untainting first. `print "Just another Perl ${\(trickster and hacker)},"` The Sidhekin proves Sidhe did it!	[reply] [d/l] [select]