Insecure dependency error and $ENV{'PATH'}

bradcathey has asked for the wisdom of the Perl Monks concerning the following question:

Fellow monasterians,

I'm getting the "Insecure dependency in open while running with -T switch at scriptname line xxx" error. Googled and Super Searched and thought my problem might be my path. My regex looks okay, but now I have doubts. I'm guessing it's the path. Should it be set to the directory of the script or the destination directory?

NOTES: /xmpx/ is the directory that contains my executable scripts, and the subroutine is uploading an image.

What I am I not getting? TIA.

$ENV{'PATH'} = 'home/username/www/xmpx/';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
...
sub uploader {

   my $sourcefile = $query->param('uploadthis');
   $sourcefile =~ /([\w .-]+)$/i;   #strip off path
   my $newfile = $1;

   open (OUTFILE, ">../$branch/images/$newfile") or die "Cannot open $
+newfile: $!";
...
}
[download]

—Brad
"Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton

Comment on Insecure dependency error and $ENV{'PATH'} Download Code

Replies are listed 'Best First'.
Re: Insecure dependency error and $ENV{'PATH'} by Ovid (Cardinal) on Aug 05, 2004 at 15:11 UTC
Where does `$branch` come from? If it's not untainted, that could be your error. Cheers, Ovid New address of my CGI Course.	[reply]
Re^2: Insecure dependency error and $ENV{'PATH'} by bradcathey (Prior) on Aug 05, 2004 at 17:04 UTC
Thanks Ovid, et al! Totally my bad (thanks for not -- me too badly—oh, the joys of programming). `$branch` was the culprit and had nothing to do with `$ENV{'PATH'}` or `$newfile`. But did take the advice of diotalevi and captured potential errors (`$branch` is set by me so not a hazard). Revised code: `$branch =~ /^([\w-]+)$/i; $branch = $1; if ($sourcefile =~ /([\w .-]+)$/i) {; #strip off path stuff $newfile = $1; } else { return("Bad file name"); } open (OUTFILE, ">../$branch/images/$newfile") or die "Cannot open $new +file: $!"; ...` [download] —Brad "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton	[reply] [d/l] [select]
•Re^3: Insecure dependency error and $ENV{'PATH'} by merlyn (Sage) on Aug 05, 2004 at 17:32 UTC
`$branch =~ /^([\w-]+)$/i; $branch = $1;` [download] This is not safe, particularly since you are doing this in the name of untainting. Never never never use $1 unless you've also checked that the match has succeeded. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re^4: Insecure dependency error and $ENV{'PATH'} by bradcathey (Prior) on Aug 05, 2004 at 19:03 UTC
•Re: Insecure dependency error and $ENV{'PATH'} by merlyn (Sage) on Aug 05, 2004 at 15:13 UTC
I don't see where `$branch` is coming from. It's quite possibly tainted. Your `$newfile` looks fine, although it permits ".." and "flurbl\n", which are messy. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: Insecure dependency error and $ENV{'PATH'} by diotalevi (Canon) on Aug 05, 2004 at 16:23 UTC
If `$sourcefile =~ /.../` does not match then $1 will contain whatever the last successful match captured. This is a bug in your program. You must test the result of the match for success and only then use $1 otherwise bail or use a sane default. `my $newfile = ( $sourcefile =~ /...(...).../i ? $1 : 'somedefault' );` [download]	[reply] [d/l] [select]
Re: Insecure dependency error and $ENV{'PATH'} by gellyfish (Monsignor) on Aug 05, 2004 at 15:12 UTC
I don't see where you are getting `$branch` from - that could be your problem. /J\	[reply] [d/l]