Re^2: Insecure dependency error and $ENV{'PATH'}

Thanks Ovid, et al! Totally my bad (thanks for not -- me too badly—oh, the joys of programming). $branch was the culprit and had nothing to do with $ENV{'PATH'} or $newfile. But did take the advice of diotalevi and captured potential errors ($branch is set by me so not a hazard). Revised code:

$branch =~ /^([\w-]+)$/i;
$branch = $1;

if ($sourcefile =~ /([\w .-]+)$/i) {;     #strip off path stuff
   $newfile = $1;
} else {
   return("Bad file name");
}

open (OUTFILE, ">../$branch/images/$newfile") or die "Cannot open $new
+file: $!";
...
[download]

—Brad
"Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton

Comment on Re^2: Insecure dependency error and $ENV{'PATH'} Select or Download Code

Replies are listed 'Best First'.
•Re^3: Insecure dependency error and $ENV{'PATH'} by merlyn (Sage) on Aug 05, 2004 at 17:32 UTC
`$branch =~ /^([\w-]+)$/i; $branch = $1;` [download] This is not safe, particularly since you are doing this in the name of untainting. Never never never use $1 unless you've also checked that the match has succeeded. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re^4: Insecure dependency error and $ENV{'PATH'} by bradcathey (Prior) on Aug 05, 2004 at 19:03 UTC
Thanks for the gentle reprimand merlyn. I did state that I controlled $branch, but I do now see how it could get hacked anyway. Your point is well-taken. —Brad "Don't ever take a fence down until you know the reason it was put up. " G. K. Chesterton	[reply]