Re: Insecure dependency error and $ENV{'PATH'}

Replies are listed 'Best First'.
Re^2: Insecure dependency error and $ENV{'PATH'} by bradcathey (Prior) on Aug 05, 2004 at 17:04 UTC
Thanks Ovid, et al! Totally my bad (thanks for not -- me too badly—oh, the joys of programming). `$branch` was the culprit and had nothing to do with `$ENV{'PATH'}` or `$newfile`. But did take the advice of diotalevi and captured potential errors (`$branch` is set by me so not a hazard). Revised code: `$branch =~ /^([\w-]+)$/i; $branch = $1; if ($sourcefile =~ /([\w .-]+)$/i) {; #strip off path stuff $newfile = $1; } else { return("Bad file name"); } open (OUTFILE, ">../$branch/images/$newfile") or die "Cannot open $new +file: $!"; ...` [download] —Brad "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton	[reply] [d/l] [select]
•Re^3: Insecure dependency error and $ENV{'PATH'} by merlyn (Sage) on Aug 05, 2004 at 17:32 UTC
`$branch =~ /^([\w-]+)$/i; $branch = $1;` [download] This is not safe, particularly since you are doing this in the name of untainting. Never never never use $1 unless you've also checked that the match has succeeded. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re^4: Insecure dependency error and $ENV{'PATH'} by bradcathey (Prior) on Aug 05, 2004 at 19:03 UTC
Thanks for the gentle reprimand merlyn. I did state that I controlled $branch, but I do now see how it could get hacked anyway. Your point is well-taken. —Brad "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton	[reply]