Re^2: -T switch & untaint - how to resolve errors?

I actually found & am using the exact code you suggested:

    untaint($name);
    untaint($siteName);
    open (FILE,">/$directory/tmpl/$name.tmpl");
        print FILE $content;
    close(FILE);

sub untaint {
    my $var = $_[0];
    unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_]
        die("Tainted");
    } 
    return $var;
}
[download]

But I still get the error. Is the switch suppose to be turned off & it's purpose simply to make me aware that this issue needs to be addressed, or am I coding it incorrectly & thus not allowing the switch to realize that I'm untainting the data?

Thx for the feedback!

Stenyj

Comment on Re^2: -T switch & untaint - how to resolve errors? Download Code

Replies are listed 'Best First'.
Re^3: -T switch & untaint - how to resolve errors? by polettix (Vicar) on Apr 10, 2005 at 20:37 UTC
You're not untainting the variable in-place, your call to the function should read as follows: `$name = untaint($name); $siteName = untaint($siteName); open (FILE,">/$directory/tmpl/$name.tmpl"); print FILE $content; close(FILE); sub untaint { my $var = $_[0]; unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_] die("Tainted"); } return $var; }` [download] I've asked a question about another topic here, but I think you can find the answers quite useful for your tainting doubts. Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))") Don't fool yourself.	[reply] [d/l]
Re^4: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 21:11 UTC
Yeah sorry, I fixed the coding after posting, and forgot to update it here. Still getting the error, even with the adjusted code. "print() on closed filehandle FILE at file.cgi line 117." Kind of weird, but tryin' to figure it out. Stenyj	[reply]
Re^5: -T switch & untaint - how to resolve errors? by Joost (Canon) on Apr 10, 2005 at 21:46 UTC
Looks like the file isn't opened for some reason. Try doing `open(....) or die "Can't open file: $!"` "What should it profit a man, if he should win a flame war, yet lose his cool?"	[reply] [d/l]
Re^6: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 22:00 UTC
Is restricting to "words" good enough? by doom (Deacon) on Apr 11, 2005 at 03:30 UTC
Re^3: -T switch & untaint - how to resolve errors? by Stenyj (Beadle) on Apr 10, 2005 at 17:46 UTC
Nevermind, I tried exactly your code (rather then my variation of it) and it seems to work (at least the untain part of it): `my ($untained_file) = $name =~ /^(\w+)$/ or die "bad filename: $na +me"; open (FILE,">c:/apache/htdocs/directory/tmpl/$untained_file.tmpl") +; print FILE $content; close(FILE);` [download] but oddly, now I'm getting: print() on closed filehandle FILE at filename.cgi line 117. on the: `print FILE $content;` [download] line. Will mess around with it, and see if I can figure out what's up. Thx again.	[reply] [d/l] [select]