Stenyj has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks, I'm getting the following error whil attempting to run a script that will copy the contents of one directory into another:
"Insecure dependency in open while running with -T switch at /usr/lib/perl5/5.8.3/File/Copy.pm line 129."
The code I'm using is: 
$subdomain = untaint($subdomain);
$destFolder = untaint($destFolder);
        my $dir1 = "/home/siteName/templates/tmpl";
        my $dir2 = "/home/siteName/public_html/$subdomain/$destFolder/
+tmpl";
        my @list = <$dir1/*.*>;
        foreach(@list) {
           copy("$_","$dir2/") or die "FAIL :$! \n";
        }


sub untaint {
    my $var = $_[0];
    my ($untained_file) = $var =~ /^(\w+)$/ or die "bad filename: $var
+";
    return $untained_file;
}

[download]
The value of $subdomain is 'sub-one'
The value of $destFolder is 'destination', which is originally supplied by the user, validated to make sure it's only alphanumeric, and then stored in the database. This script then retrieves it from the database for processing.

NOTE: I realize the value 'sub-one' will bounce off the untaint subroutine because of the '-' in it. The value of $subdomain is retrieved from a database on my server, and is not specified by the user, so I would like to allow for '-' to be in the name if possible.

Can anyone advise on how to resolve this issue, as well as perhaps modify the untain sub to allow the inclusion of '-'? I've made mutliple attempts tonight without success :-|

Any assistance would be greatly appreciated.

Regards,
Stenyj

Replies are listed 'Best First'.
Re: Plz help w/ taint issue while copying dir contents
by PodMaster (Abbot) on Apr 12, 2005 at 04:13 UTC
    All of @list is tainted. You really should read perlsec
    All command line arguments, environment variables, locale information (see perllocale), results of certain system calls (readdir(), readlink(), the variable of shmread(), the messages returned by msgrcv(), the password, gcos and shell fields returned by the getpwxxx() calls), and all file input are marked as "tainted".

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
      Isn't 
         my @list = <$dir1/*.*>;

      [download]
      a file input instead of a readdir()?

      Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))")

      Don't fool yourself.
[reply]
[d/l]
        No, it isn't (and even if it was, its external input, still tainted).
        perl -le" print for <*.*> "
        `perldoc -f glob'

        MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
        I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
        ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
Re: Plz help w/ taint issue while copying dir contents
by tlm (Prior) on Apr 12, 2005 at 03:14 UTC

    It's perfectly OK to have - in your untainting regexp, e.g. 

    sub untaint {
    my $var = $_[0];
    my ($untained_file) = $var =~ /^([\w-]+)$/ or die "bad filename: $
+var";
    return $untained_file;
}

    [download]
    Note that within a character class, - must either be escaped, or else appear in the first or last position in the character list, otherwise it is interpreted as a range indicator (see Version 8 Regular Expressions in perlre).

    Also, if you're using locale, read this node.

    the lowliest monk

[reply]
[d/l]
[select]
      Thx! Will add that in now.

      Any idea on the taint error?

      Stenyj
[reply]

        I assume you are running this as a CGI script? Do you get the same error if you run this code from the command line? You may want to use the Scalar::Util::tainted to see exactly which variable -T is unhappy with.

        A common piece of advice when dealing with -T-related problems is to set your $ENV{ PATH } variable explicitly; e.g. $ENV{ PATH } = '/bin:/usr/bin'; it's worth a try, but I think that if this were the solution, the error message you'd be getting would be different.

        the lowliest monk

[reply]
[d/l]
[select]
Re: Plz help w/ taint issue while copying dir contents
by chanio (Priest) on Apr 13, 2005 at 03:19 UTC
[reply]

Back to Seekers of Perl Wisdom