I don't think FindBin is at fault here.

I agree. $FindBin::RealBin is marked as tainted.

>perl -MScalar::Util=tainted -T -le"use FindBin; print tainted($FindBi
+n::RealBin) ?1:0"
1
[download]

use/require is not at fault either.

>perl -MScalar::Util=tainted -T -le"use FindBin; unshift @INC, $FindBi
+n::RealBin; require Module;"
Insecure dependency in require while running with -T switch at -e line
+ 1.
[download]

Perl did its due diligence. If you're going to blindly untaint the result ($path =~ /^(.+)$/;), it's your own coffin you're nailing.

rowdog is right too, though. If the modules or libraries you use are exploitable, there's a possibility that your code is too. For example, if there's a buffer overflow in the library DBD::mysql uses, even properly validated inputs could be used to exploit a vulnerability.

Silas,

$0 is trivial to manipulate (cp real.pl evil.pl) so I was rather horrified to see that FindBin relied on $0. Fortunately, ikegami pointed out that FindBin is tainted so I can take a deep breath and relax a bit but my off the cuff answer would be "all of them".

"cp real.pl evil.pl" is not reason enough to taint $0. Copying the file isn't "evil". It doesn't get you anything. For copying to be of any consequence, it would have to copy both the owner and the setuid bit. But if you can copy the owner, you can already impersonate the owner so it doesn't buy you anything you don't already have.

Um, yeah, bad example, I was only trying to show how easy it is to manipulate $0.

In C it's easy to manipulate argv[0] with the exec family. There are rather more sophisticated attacks as well. I learned a long time ago that you can't trust argv[0] or names in the process table.

In any case, $0 isn't reliable and there's plenty of reasons to taint it, even if cp isn't the reason. I do, however, feel much better knowing that FindBin isn't as unsafe as I first thought.