Insecure $ENV{PATH}

Andre_br has asked for the wisdom of the Perl Monks concerning the following question:

Hello my friends.

Taint mode is complaining about that when I do this:

system "unzip ..files/zips/$zipfile -d ..files/unzips";
[download]

I´ve tested the $zipfile against tainting, and she is clean. The problem seems to be really the path, as Perl says. So, I said, hey, no problem, absolute path:


system "unzip home/mysite/zips/$zipfile -d home/mysite/unzips";
[download]

But... the problem goes on... Nothing changed. Any ideas?

Thanks a lot

Andre_br

Comment on Insecure $ENV{PATH} Select or Download Code

Replies are listed 'Best First'.
Re: Insecure $ENV{PATH} by ikegami (Patriarch) on Jun 20, 2005 at 17:30 UTC
The problem is that someone could change the path such that the unzip called is not the unzip you thought you were calling. It has nothing to do with unzip's arguments. (By the way, your "absolute paths" aren't absolute, but that doesn't matter.) `system "/usr/local/bin/unzip /home/mysite/zips/$zipfile -d /home/mysit +e/unzips";` [download] might do the trick, but why use multiple argument form when not needed. You're just asking for shell-interpolation trouble. Use the following instead: `system "/usr/local/bin/unzip", "/home/mysite/zips/$zipfile", "-d", "/home/mysite/unzips";` [download] and if that still complains, `{ local $ENV{'PATH'} = ''; system "/usr/local/bin/unzip", "/home/mysite/zips/$zipfile", "-d", "/home/mysite/unzips"; }` [download] will definitely do the trick. If you're not sure where unzip will be located, the following should work: `{ local $ENV{'PATH'} = '/usr/local/bin:/usr/bin'; system "unzip", "/home/mysite/zips/$zipfile", "-d", "/home/mysite/unzips"; }` [download]	[reply] [d/l] [select]
Re: Insecure $ENV{PATH} by Transient (Hermit) on Jun 20, 2005 at 17:19 UTC
What about the path to the "unzip" program?	[reply]
Re^2: Insecure $ENV{PATH} by BUU (Prior) on Jun 20, 2005 at 17:27 UTC
Yes, that is the problem. When you just say "unzip" perl has to search your `$ENV{PATH}` to find the unzip path and with tainting mode on, perl doesn't trust `$ENV{PATH}`, thus leading to the error message. Specify the entire path to the executable.	[reply] [d/l] [select]
Re: Insecure $ENV{PATH} by Limbic~Region (Chancellor) on Jun 20, 2005 at 17:29 UTC
Andre_br, Have you tried deleting $ENV{PATH} prior to invoking system? You will find that you now have to specify an absolute path to unzip. Cheers - L~R	[reply]
Re: Insecure $ENV{PATH} by bass_warrior (Beadle) on Jun 20, 2005 at 18:29 UTC
2 options. 1. untaint you $ENV{PATH} 2. set $ENV{PATH} from within you script.	[reply]
Re^2: Insecure $ENV{PATH} by Andre_br (Pilgrim) on Jun 20, 2005 at 20:52 UTC
In fact! You are the best! I in fact was forgetting the path to the "unzip" command. Now I am running smoothly with the snippets ikegami sent me. Thank a lot you all, cbrandtbuffalo Transient BUU Limbic~Region ikegami frodo72 bass_warrior! Take care Andre_br	[reply]
Re: Insecure $ENV{PATH} by cbrandtbuffalo (Deacon) on Jun 20, 2005 at 17:18 UTC
Sorry if I'm being dense, but what exactly is the error/warning you are seeing and how is the $ENV{PATH} in your title related to this? Oh, and how are you doing the untainting?	[reply]
Re: Insecure $ENV{PATH} by polettix (Vicar) on Jun 20, 2005 at 18:04 UTC
I wonder if you mean `../files/zips/$zipfile` instead of `..files/zips/$zipfile` - unless you have a subdirectory called `..files`, which seems rather unusual to me. Flavio perl -ple'$_=reverse' <<<ti.xittelop@oivalf Don't fool yourself.	[reply] [d/l] [select]