use of taint chking and File::Find

birdbrane has asked for the wisdom of the Perl Monks concerning the following question:

Greets,

I am having some issue w/using File::Find and taint checking. I am trying to grab a group of files via the File::Find module, as it seemed that globbing was not a good idea w/taint checking. Problem is, I get the following error when I run the script:

Insecure $ENV{PATH} while running with -T switch at /usr/local/gnu/lib
+/perl5/Cwd.pm line 69.
[download]

Our perl version is 5.004_04. Has anyone encountered this problem? It appears to me that File::Find is the cause, but am not sure how to get around it, w/o monkeying w/ Find.pm.

Thanks for the help,

Here is the snippet that is causing me problems:

#! /usr/local/bin/perl -Tw

use strict;
use File::Find;
use Socket;


my $BasePath = "/hostname";
my $SourcePath = "${BasePath}/internal_hosts";
my ($Hostname, @HostFiles, $Subnet, $NewPass, $IP, $Service, $OS);

find (\&GrabHostFiles, "$SourcePath"); foreach (@HostFiles) { print "$
+_\n";}

sub GrabHostFiles {
    my $hostaddr = $_; 
    chomp $hostaddr;
    push(@HostFiles, $1) if ($hostaddr =~ /(hostlist\_\d{1,3}\.\d{1,3}
+\.\d{1,3})/);
}
[download]

Comment on use of taint chking and File::Find Select or Download Code

Replies are listed 'Best First'.
Re: use of taint chking and File::Find by arturo (Vicar) on Apr 12, 2001 at 20:06 UTC
This specific problem doesn't have to do with File::Find in particular. It has to do with the fact that your script is inheriting a PATH from the environment, but Perl regards that as an untrusted source. The way to fix the specific problem you're having is to set `$ENV{PATH}` in your script before you make any system calls. `perldoc perlsec` has a wealth of information for you on this and other security matters. Some sample code: `$ENV{'PATH'} = '/bin:/usr/bin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};` [download] That snippet will make your PATH safe and also will delete some other environment variables that could be used by a clever meanie to make your script do unwanted things. Update : you might want to wrap such code in a `BEGIN {}` block, if you add those lines at the beginning of your script and you still get the error. Doing so will ensure the untainting happens before anything goes on in any of the modules you import. end update There's another roadbump on the horizon, however. I found out a little while back that information from the filesystem is regarded as tainted, and the File::Find versions from before that shipped with perl 5.6.0 have no mechanism for untainting the data. So if you try to do anything 'unsafe' with a filename, perl will complain when running under -T. The best thing to do in that case is to manually untaint any data you get from the filesystem before you use it in a system call. Again, `perldoc perlsec` is your go-to source. HTH Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply] [d/l] [select]
Re: use of taint chking and File::Find by davorg (Chancellor) on Apr 12, 2001 at 20:02 UTC
Newer versions of File::Find cope with this problem. See the documentation at http://search.cpan.org/doc/GSAR/perl-5.6.1-TRIAL3/lib/File/Find.pm. -- <http://www.dave.org.uk> "Perl makes the fun jobs fun and the boring jobs bearable" - me	[reply]
Re: use of taint chking and File::Find by Asim (Hermit) on Apr 12, 2001 at 20:03 UTC
This has been noted in these here parts before, and I recommend looking at that link for the details, as well as perlsec for all the usual reasons. Basically, it looks like Cwd has tainted data, and this is passed onto File::Find, which uses it interally), and thus, you get it. There is, it seems, a way to turn tainting off for File::Find (at least newer versions), but that's an "at your own risk" deal. Look at the node above for details -- merlyn states it much better than I can. ----Asim, known to some as Woodrow.	[reply]
Re: use of taint chking and File::Find by birdbrane (Chaplain) on Apr 12, 2001 at 22:58 UTC
Many thanks for the replies on this. Also, many apologies for not checking the archive (which I do in 9 out of 10 cases, just was a bit eager for an answer, so I by-passed my usual checks). Unfortunately, the `$ENV{'PATH'}` did not work. For some reason, in that particular script, neither did the `BEGIN {}`. I am going to try an upgrade on the find.pm and if that doesn't work, I will need to re-engineer the way that I read the dir contents (readdir perhaps). Thanks again for the help, bb	[reply] [d/l] [select]