run script in taint mode

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

I've written couple of modules in perl. These modules work fine from the command line
But now I need the functionality of those modules when I use CGI and then I want to use the module with the -T flag for added security.
Offcourse there were some problems with my modules because I opened /closed various files etc... and I believe I can solve them with some regex's.

But my code used an xml file to read-in some configuration directives. and apperently the -T mode croaks on that module when I want to use XML::Simple

How can I solve this problem ?
Is there a good tutorial/guide that explains how to go from untainted mode to tainted mode ?

When I remove the T flad and run it from the cmd line the code seem to work $_config contains an hashref.
With the -T flag I get an obscure "Name contains ..."
I know it's crashing on the path I provide , but I can't seem to figure out how to solve it

#!/usr/bin/perl -wT
use strict;
use warnings;

use XML::Simple; # used to read the xml config file
  my $parser = new XML::Simple(keeproot => 0);
 my $_config_file = "blah.xml";
 my $_config_path = "/some/path";
 unless ($_config_path =~ m#^(/some/path)$#){ #some regex I suspect wi
+ll untaint the data, but i wonder is this is needed because I set the
+ vars from within my program
# and from what I is that taint only check data from other processes
     die("FATAL Error, the path you provide doens't seem to be a valid
+ path at all"); 
  }
 print "match $1 \n";
 my $config_path=$1;
 my $file= "${config_path}/${_config_file}";

 print "complete path to file: $file \n";
 my $_Config = $parser->XMLin($file);
 print "\$_config = $_Config \n";
[download]

20051019 Janitored by Corion: Removed BR tags from code

Comment on run script in taint mode Download Code

Replies are listed 'Best First'.
Re: run script in taint mode by mulander (Monk) on Oct 19, 2005 at 11:51 UTC
Ovid wrote a pretty good tutorial about cgi this lesson covers untainting the data from the user.	[reply]
Re: run script in taint mode by snowhare (Friar) on Oct 19, 2005 at 14:39 UTC
Your 'untaint' operation is unneeded for a hardcoded path like what you gave. I stripped your code down to essentials: `#!/usr/bin/perl -wT use strict; use warnings; use XML::Simple; # used to read the xml config file eval { my $parser = new XML::Simple(keeproot => 0); my $config_file = "blah.xml"; my $config_path = "/www/common/data"; my $file= "$config_path/$config_file"; my $_Config = $parser->XMLin($file); print "Content-Type: text/plain\n\n\$_config = $_Config \n"; }; if ($@) { print "Content-Type: text/plain\n\n$@\n"; }` [download] and created a 'blah.xml' file containing only '<data/>' and it ran fine for me. You need to give the exact error message. I suspect it doesn't mean what you think it does.	[reply] [d/l]
Re^2: run script in taint mode by Anonymous Monk on Oct 20, 2005 at 06:45 UTC
I c/p your code and I replaced the path and with my xml-file and ran it from the command line and I get the following error. `Content-Type: text/plain Name contains invalid start character: '<'` [download] I think it might has something to do with the data in the XML , but how should I untaint the data ?	[reply] [d/l]
Re^3: run script in taint mode by snowhare (Friar) on Oct 23, 2005 at 15:59 UTC
That doesn't sound like a taint error. It sounds like bad XML. That code value is a 'left arrow' (<). You might get an error like that if somewhere in your data you had something like '<<something '. Does my script work if you turn off 'taint'? If it does, then the next thing I would look for is something like an external entity in a DTD that is trying to import a file with a '<' character in the name....	[reply]