chdir in CGIs, taint mode and mod

lima1 has asked for the wisdom of the Perl Monks concerning the following question:

Hi Perl Monks,

I wrote a module that runs some command line tools. My problem is that these tools throw their output files to the current directory. That means I have to chdir to a temporary directory and then run the system() command there. Patching these tools is not an option.

The return value of cwd is tainted (I assume that someone mean can make cwd return a wrong path?), so changing back does not work in taint mode. Now two questions:

Can someone do something nasty if i untaint it with

my  ( $path ) = cwd =~ /(.*)/;
[download]

and how? Is there a better solution?

Do I get burned when I change directories all the time in mod_perl (race conditions?).

Comment on chdir in CGIs, taint mode and mod_perl Download Code

Replies are listed 'Best First'.
Re: chdir in CGIs, taint mode and mod_perl by merlyn (Sage) on Jan 25, 2006 at 14:35 UTC
I won't comment on the security of your attempt, but you should at least use `/(.*)/s` in case the string has a newline. And yes, CWD may contain a newline. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re: chdir in CGIs, taint mode and mod_perl by Fletch (Bishop) on Jan 25, 2006 at 14:34 UTC
Run the uncooperative command in it's own shell and change directory in that child shell. `system( qq{ cd $output_dir ; exec uncooperative $some_arg $other_arg } + );` [download]	[reply] [d/l]