Re: Untainting 'bad' filenames

You're probably best off doing something like this:

($untainted) = $file =~ /^(.*)$/s;
[download]

Just be certain you only use $untainted in a "secure" way. I suspect a rename call is fine, but don't think of using it in, say, system.

The example you used ($filename=~/^(.+)$/; $file=$1;) breaks if there's a newline in the filename and if it doesn't successfully match the filename, you could be setting $file to something you do not expect (since an unsuccessful match leaves $1 to what it was set to before). Taint-checking probably wouldn't pick up on this mistake.

Comment on Re: Untainting 'bad' filenames Select or Download Code

Replies are listed 'Best First'.
Re: Re: Untainting 'bad' filenames by doran (Deacon) on Dec 08, 2000 at 12:20 UTC
Yikes, newlines! Thanks. I forgot about the //s. BTW, I make sure the $1 is localized by wrapping the regex in its own block. That's something I learned a couple months ago.	[reply]
Re: Re: Re: Untainting 'bad' filenames by chipmunk (Parson) on Dec 08, 2000 at 20:13 UTC
That ensures that the value of $1 from a successful match does not leak outside the block, but it doesn't protect you from $1 from an earlier successful match leaking into the block: `#!/usr/local/bin/perl -w use strict; $_ = 'perlmonks.org'; for my $re (qw/monks minks/) { /(perl)/; print "$1\n"; { # new block for regex /($re)/; print "$1\n"; } } __END__ perl monks perl perl` [download] It's generally necessary to check whether a regex succeeded before using any of the regex special variables.	[reply] [d/l]