File::Find and untaint

Melly has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monkees,

I'm having trouble getting File::Find to run in taint mode - here's my File::Find, what am I doing wrong? (I'm perfectly happy with the default untaint_pattern, but an example of this code with an untaint_pattern would be welcome).

  find({wanted => \&wanted, untaint => 1}, @twikipaths);
  sub wanted{
    if(/.+\.doc$/i){
      if($cs && /($searchterm)/){
        push @files, $File::Find::name;
      }
      elsif(!$cs && /($searchterm)/i){
        push @files, $File::Find::name;
      }
      elsif(!$tonly){
        open(DOC, $File::Find::name)||
          die "Couldn't open $File::Find::name:$!\n";
        THISFILE: while(my $line = <DOC>){
          $line =~ s/([^\011\012\015\040-\176])//g;
          if($cs && $line =~ /($searchterm)/){
            close DOC;
            push @files, $File::Find::name;
            last THISFILE;
          }
          elsif(!$cs && $line =~ /($searchterm)/i){
            close DOC;
            push @files, $File::Find::name;
            last THISFILE;
          }
        }
      }
    }
  }
[download]

Thanks...

Tom Melly, tom@tomandlu.co.uk

Comment on File::Find and untaint Download Code

Replies are listed 'Best First'.
Re: File::Find and untaint by jwkrahn (Abbot) on Oct 09, 2006 at 17:08 UTC
what am I doing wrong? According to the documentation for File::Find: Note that all names passed to the user's wanted() function are still tainted. So you have to untaint the `@twikipaths` array before you use it. The code: `$line =~ s/([^\011\012\015\040-\176])//g;` [download] has superfluous parentheses (in fact all of your regular expressions do) and would be more efficient as: `$line =~ tr/\011\012\015\040-\176//cd;` [download]	[reply] [d/l] [select]
Re^2: File::Find and untaint by Melly (Chaplain) on Oct 09, 2006 at 17:47 UTC
Ah - many thanks! I must admit to being slightly puzzled by the requirement to untaint with File::Find, but waddaiknow? As for the superfluous parentheses - yes, some tidying up is in order. At one point I was printing out various stuff during a debug, but thanks for the heads-up... Tom Melly, tom@tomandlu.co.uk	[reply]
Re^3: File::Find and untaint by jwkrahn (Abbot) on Oct 09, 2006 at 19:19 UTC
You're welcome. `:-)`	[reply] [d/l]