Insecure dependency ... with -T switch

bradcathey has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monasterians,

I have -T in my shebang and it's complaining about a write function in Imager, but IMHO, I don't think the error has anything to do with Imager itself. This node was helpful, but not definitive. The thing that I'm confused about is that the values are hard coded or have been untainted elsewhere (and not returning any error). Here's the error:

Error executing run mode 's': Insecure dependency in open while running with -T switch at /usr/lib/perl/5.8/IO/File.pm line 70, <fh00001chicago_test.jpg> line 197.

   my $image_name = 'foobar.jpg';    #from user
   my $upload_dir = '../clients/images'; #hard coded
   
   $self->make_thumb($image_name, $upload_dir, 'jpeg');
   
   
sub make_thumb {
   my $self = shift;
   use Imager;
   
   my ($image_name, $upload_dir, $file_exten) = @_;
   
   ........ imager stuff here ..........
   
   $image_name =~ /^(\w+)\.(\w+)$/;
   $image_name = $1;
   my $to_write = $upload_dir.'/'.$image_name.'_thumb.jpg';
   #$to_write =~ /(.*)/; $to_write = $1; #this didn't help

   $img->write(file=>$to_write, type=>$file_exten)
         or $self->push_error("Cannot write thumbname because: $!");
}
[download]

What am I missing? TIA

Update: Fixed shift and added error message

—Brad
"The important work of moving the world forward does not wait to be done by perfect men." George Eliot

Comment on Insecure dependency ... with -T switch Select or Download Code

Replies are listed 'Best First'.
Re: Insecure dependency ... with -T switch by jethro (Monsignor) on Aug 20, 2008 at 23:01 UTC
`my ($image_name, $upload_dir, $file_exten) = @;` [download] '@;' copy mistake? UPDATE: Something else: Please post the error message 2ND UPDATE: Searching the net for 'File.pm insecure dependancy' turned up some hits The most interesting link is a debian bug report http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422733 suggesting that the bug was fixed in 10.0. Also it seems you can simply avoid the bug by providing absolute pathnames	[reply] [d/l]
Re: Insecure dependency ... with -T switch by ikegami (Patriarch) on Aug 21, 2008 at 21:33 UTC
Did you check if $to_write is tainted? You can check with `tainted` (and even with `Dump`). Or perhaps the module is making a new variable from yours which is tainted? Maybe it's not related to the file name at all. Did you isolate which variable is tainted in IO::File? Or maybe the module causes IO::File to use the two arg form of `open` which checks `$ENV{PATH}` (and others?) for taintedness? What's that line 70 of your IO::File?	[reply] [d/l] [select]