just another taint question

tcf03 has asked for the wisdom of the Perl Monks concerning the following question:

I have the following code

my @cupscmd=("/usr/bin/lpstat ", "-h", $server, "-r");
my $cups_cmd=qx/@cupscmd/;
[download]

and the following error:
Insecure dependency in `` while running with -T switch at /var/www/cgi-bin/printers.cgi line 77, <CFGFILE> line 7.
I think its the "in ``" im getting hung up on. Im not sure what "in ``" is

CFGFILE is just a file containg lines:

server,default,subsystem,connection

this file only has 6 lines. Ive searched for the awnser to this for about an hour now. If more code is needed I can supply it - Im trying not to post too much extranious crap.

Comment on just another taint question Select or Download Code

Replies are listed 'Best First'.
Re: just another taint question by Golo (Friar) on Mar 31, 2005 at 20:35 UTC
I think your $server is tainted, because it was read from a file. You'll have to untaint it, if you want to use it in a system call (which could be dangerous). `if ($server =~ /^((?:[a-zA-Z0-9-]+\.?)+)$/) { my @cupscmd=("/usr/bin/lpstat ", "-h", $1, "-r"); my $cups_cmd=qx/@cupscmd/; }else{ die "suspicious server name: $server\n"; }` [download] Update: changed the * in the regex to a +, to disallow empty strings	[reply] [d/l]
Re: just another taint question by Corion (Patriarch) on Mar 31, 2005 at 19:09 UTC
The backticks `` are the old way, the new way to write it is `qx//`. And taint mode complains because you did not set `$ENV{PATH}` before trying to launch a program - and `qx` looks at $ENV{PATH}. You should be able to make this work by adding the following line to your script: `$ENV{PATH} = '/usr/bin:/bin'; # or maybe even: $ENV{PATH} = '';` [download]	[reply] [d/l] [select]
Re^2: just another taint question by isotope (Deacon) on Mar 31, 2005 at 21:27 UTC
taint mode complains because you did not set $ENV{PATH} No, it's complaining because `$server` is tainted. --isotope	[reply]
Re^2: just another taint question by tcf03 (Deacon) on Mar 31, 2005 at 19:11 UTC
I probably should have added what I have already tried. I do have the following code at the top of my script. `$ENV{'PATH'} = '/bin:/usr/bin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};` [download]	[reply] [d/l]
Re: just another taint question by gam3 (Curate) on Mar 31, 2005 at 20:12 UTC
I got the code below to run on perl 5.8.4 `$ENV{'PATH'} = ''; $ENV{'BASH_ENV'} = ''; my $server = '-a'; my @cupscmd=("/bin/ls ", "-l", $server, "-r"); my $cups_cmd=qx/@cupscmd/; print $cups_cmd, "\n";` [download] I don't have cups, but the command run should not matter. -- gam3 A picture is worth a thousand words, but takes 200K.	[reply] [d/l]