RE: Re: Using perl to automate mail backup

I originally did, but I wanted to be able to have the working directory reset to its original value when the program exits. The only way I know to do this is my $old_dir = `pwd`, and the output of the pwd program causes $old_dir to be tainted.

From what I can gather, the only proper way to untaint data is to using a regular expression. Something along the lines of this I believe: my ($untainted) = $old_dir =~ /^(.*)/. Then I could use chdir $untainted without getting a warning of an insecure dependency in chdir. If I understand it correctly, this is how you convince perl that you have filtered the input of any harmfull input. Will my code above cause some insecurity because of it blindly untainting the input of pwd??

Thanks for the link to the perlsec. I have looked it over a few times but it is one document that I need to read over more thouroughly. I am not a security expert, that is for sure!

Thanks!
zzspectrez

Comment on RE: Re: Using perl to automate mail backup Select or Download Code

Replies are listed 'Best First'.
RE: RE: Re: Using perl to automate mail backup by Fastolfe (Vicar) on Nov 12, 2000 at 13:23 UTC
I'm not sure what you mean by resetting the current working directory. When your script exits, its current working directory disappears with it, just like its environment. `(fastolfe) eddie:~$ perl -e 'chdir("tmp"); system("pwd");' /home/fastolfe/tmp (fastolfe) eddie:~$ pwd /home/fastolfe` [download] There is also the Cwd module, which will fetch the current working directory (via getcwd or cwd). I don't know if/how these values are tainted though.	[reply] [d/l]
RE: RE: RE: Re: Using perl to automate mail backup by zzspectrez (Hermit) on Nov 12, 2000 at 23:34 UTC
Oppps! I didn't even realize that the directory gets reset when the program exits. All my other experience programming in the dos environment ( masm, turbo pascal ) you had to save the path and restore it when you exit or you would be left in the last directory your program set. That solves that problem. I can remove that section of code and use taint checking. I had looked at the Cwd module, but its implementation is the same: Taken from Cwd.pm sub _backtick_pwd { my $cwd; chop($cwd = `pwd`); $cwd; } [download] And the working directory returned is tainted. zzspectrez	[reply] [d/l]
RE: RE: RE: RE: Re: Using perl to automate mail backup by Fastolfe (Vicar) on Nov 13, 2000 at 08:55 UTC
Check the 'getcwd' function instead of 'cwd'. This does not use an external command. It's a lot more intensive, but does a more thorough job (and may perhaps be how 'pwd' does it internally, actually). Data may still be considered tainted, though. I don't really think there's going to be a way to get at filesystem information in such a way that you can't consider it unsafe/tainted to begin with, since any part of it can be arbitrarily supplied by any user. If you trust it, un-taint it.	[reply]