-T switch & untaint - how to resolve errors?

Stenyj has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,
I'm in the process of recoding my entire site to be more efficient (at least as best possible for my skill level) as well as more secure.

I'm working on a new script that will allow users to modify data of HTML files (vs. storing it in a DB). While attempting to open a file in the code:

    open (FILE,"../$directory/html/$file.html");
    while (<FILE>) {
        $content .= $_;
    }
    close(FILE);
[download]

I'm getting the following error:
"Insecure dependency in open while running with -T switch at filname.cgi line 116."

The values in $directory & $file are fetched from the URL that calls the script.

From some reading I've done so far tonight, I've come to understand (at least I think I have) that this is due to a vulnerability where the user could pontentially modify the values of $directory and/or $file & potentially modify or files on the server. Which is of course not something I'd like them to be able to do ;-)

What are my options to resolve this issue?
Is there a module to "untaint" the data, and allow the -T switch to know it's been untainted... or anything of that sort?

The sharing of your wisdom would be greatly appreciated!

Stenyj

Comment on -T switch & untaint - how to resolve errors? Download Code

Replies are listed 'Best First'.
Re: -T switch & untaint - how to resolve errors? by nobull (Friar) on Apr 10, 2005 at 06:37 UTC
You decide what values you expect in $file and $directory and then "launder" them using a regex capture that matches that expectation... So for example, if $file should be a "word"¹... `my ($untained_file) = $file =~ /^(\w+)$/ or die "bad filename: $file";` [download] 1. A word in this context means a string made up of characters a-z, A-Z, 0-9 and _.	[reply] [d/l]
Re^2: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 17:38 UTC
I actually found & am using the exact code you suggested: `untaint($name); untaint($siteName); open (FILE,">/$directory/tmpl/$name.tmpl"); print FILE $content; close(FILE); sub untaint { my $var = $_[0]; unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_] die("Tainted"); } return $var; }` [download] But I still get the error. Is the switch suppose to be turned off & it's purpose simply to make me aware that this issue needs to be addressed, or am I coding it incorrectly & thus not allowing the switch to realize that I'm untainting the data? Thx for the feedback! Stenyj	[reply] [d/l]
Re^3: -T switch & untaint - how to resolve errors? by polettix (Vicar) on Apr 10, 2005 at 20:37 UTC
You're not untainting the variable in-place, your call to the function should read as follows: `$name = untaint($name); $siteName = untaint($siteName); open (FILE,">/$directory/tmpl/$name.tmpl"); print FILE $content; close(FILE); sub untaint { my $var = $_[0]; unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_] die("Tainted"); } return $var; }` [download] I've asked a question about another topic here, but I think you can find the answers quite useful for your tainting doubts. Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))") Don't fool yourself.	[reply] [d/l]
Re^4: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 21:11 UTC
Re^5: -T switch & untaint - how to resolve errors? by Joost (Canon) on Apr 10, 2005 at 21:46 UTC
Some notes below your chosen depth have not been shown here
Re^3: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 17:46 UTC
Nevermind, I tried exactly your code (rather then my variation of it) and it seems to work (at least the untain part of it): `my ($untained_file) = $name =~ /^(\w+)$/ or die "bad filename: $na +me"; open (FILE,">c:/apache/htdocs/directory/tmpl/$untained_file.tmpl") +; print FILE $content; close(FILE);` [download] but oddly, now I'm getting: print() on closed filehandle FILE at filename.cgi line 117. on the: `print FILE $content;` [download] line. Will mess around with it, and see if I can figure out what's up. Thx again.	[reply] [d/l] [select]
Re: -T switch & untaint - how to resolve errors? by Zaxo (Archbishop) on Apr 10, 2005 at 10:40 UTC
Environment variables are tainted, too. The relative path has an implicit dependence on $ENV{PWD}. After Compline, Zaxo	[reply]
Re^2: -T switch & untaint - how to resolve errors? by nobull (Friar) on Apr 10, 2005 at 18:25 UTC
I thought that too but then I did an experiment and found that an `unlink()` with a relative path was not seen as an insecure dependancy under 5.8.6. Note also that the dependancy is not on `$ENV{PWD}` but on the actual current directory that is something else.	[reply] [d/l] [select]
Re: -T switch & untaint - how to resolve errors? by tcf03 (Deacon) on Apr 11, 2005 at 09:01 UTC
I recently had a similar question and had several replies which you may find useful => node 443931 Ted	[reply]