FindBin and taint mode

szabgab has asked for the wisdom of the Perl Monks concerning the following question:

The modules of my web application are placed next to the executables in ../lib directory. I keep trying to use FindBin in order to add this directory to @INC but it does not seem to work in -Taint mode.

#!/usr/bin/perl -T
use strict;
use warnings;

use FindBin;
use lib "$FindBin::Bin/../lib";


use CGI;
print CGI->new->header;
[download]

This dies with the famous "Insecure dependency in require while running with -T switch" error.

The following cleans up the taint but I am just playing with fire here, right? Should I really blindly trust FindBin?

#!/usr/bin/perl -T
use strict;
use warnings;

use FindBin;
my $path;
BEGIN {
    if ($FindBin::Bin =~ /(.*)/) {
        $path = $1;
    }
}
use lib "$path/../lib";


use CGI;
print CGI->new->header;
[download]

Comment on FindBin and taint mode Select or Download Code

Replies are listed 'Best First'.
Re: FindBin and taint mode by merlyn (Sage) on Nov 21, 2006 at 16:33 UTC
I stopped using FindBin long ago, after reading FindBin is broken (RE: How do I get the full path to the script executing?). Perhaps that would be a better solution. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^2: FindBin and taint mode by szabgab (Priest) on Nov 21, 2006 at 17:56 UTC
If I understand you suggest to use rel2abs of File::Spec. As far as my understanding goes it is still tainted so while it might be better than FindBin (see the other node) but it still does not solve my problem. `#!/usr/bin/perl -T use strict; use warnings; use File::Spec (); use File::Basename (); my $path; BEGIN { $path = File::Basename::dirname(File::Spec->rel2abs($0)); if ($path =~ /(.*)/) { $path = $1; } } use lib File::Spec->catdir($path, '..', 'lib'); use CGI; print CGI->new->header;` [download]	[reply] [d/l]
Re: FindBin and taint mode by ikegami (Patriarch) on Nov 21, 2006 at 18:15 UTC
By removing `$Bin` or `$0`'s tainting, you're allowing a path outside your control to be added to `@INC`. Given that security is an excercise in balancing risks and rewards, the question is: Is that is an issue for you? If you're only concerned about securing against web users, this is a risk you might be willing to accept. If you're also concerned about other users on your system, such as if this is a setuid script, this is a risk you should not accept. Either way, be sure to document this risk and your decision.	[reply] [d/l] [select]