Re: Taint, CGI and perl 5.10

Demo code, please. Your description is inaccurate (file handles don't have file names), and I can't reproduce the problem by guessing what you meant.

$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/ or die;
    open(my $fh, ">", $fn) or die;
    printf $fh "%s\n", "foo";
' foo.txt

$ cat foo.txt
foo
[download]

Update: Oops, missed the bit about writing tainted info, but it makes no difference

$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/
        or die;
    open(my $fh, ">", $fn) or die;
    printf $fh "%s\n", $ARGV[0];
' foo.txt

$ cat foo.txt
foo.txt

$ perl -Te'
    my $fn = $ARGV[0];
    ($fn) = $fn =~ /^([a-zA-Z0-9]{1,8}\.txt)\z/
        or die;
    open(my $fh, ">", $fn) or die;
    print $fh $ARGV[0];
    print $fh "\n";
' foo.txt

$ cat foo.txt
foo.txt
[download]

Comment on Re: Taint, CGI and perl 5.10 Select or Download Code

Replies are listed 'Best First'.
Re^2: Taint, CGI and perl 5.10 by nextguru (Scribe) on Mar 11, 2010 at 03:52 UTC
The following code exhibits the trouble. `#!/usr/bin/perl -wT use strict my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh <<EOMEOM; removing the next line of output allows the script to work the tainted data: $tainteddata script works with or without the following line the untainted data: $untainteddata EOMEOM close ($fh); exit;` [download] In trying other solutions, I've determined that the here document appears to be the culprit. The following code works fine. `#!/usr/bin/perl -wT use strict; my $tainteddata = $ARGV[0]; my ($untainteddata) = $tainteddata =~ /^([\w]+)$/; open(my $fh, ">", $untainteddata) or die; printf $fh $tainteddata, "\n"; close ($fh); exit;` [download] This is curious to me. Why the different behavior for here documents? Original version of perl was 5.8.9, now 5.10.1.	[reply] [d/l] [select]
Re^3: Taint, CGI and perl 5.10 by ikegami (Patriarch) on Mar 11, 2010 at 05:21 UTC
Your problem can be demonstrated using `perl -Te'printf $ARGV[0]' foo` [download] The first argument of printf (optional fh aside) is the format pattern. It makes sense to require the pattern to be trusted. Consider `%n`, for example. `printf $fh <<EOMEOM;` should be `printf $fh "%s", <<EOMEOM;` or simply `print $fh <<EOMEOM;` Your code is buggy, and 5.10 catches your bug.	[reply] [d/l] [select]
Re^4: Taint, CGI and perl 5.10 by nextguru (Scribe) on Mar 11, 2010 at 05:41 UTC
That was it. Thanks much.	[reply]
Re^4: Taint, CGI and perl 5.10 by derby (Abbot) on Mar 11, 2010 at 12:10 UTC
Man ... that was a spot the bug for these eyes. Just to clarify thats: printf $fh print $fh It took me a while to spot the f. -derby	[reply]
Re^3: Taint, CGI and perl 5.10 by rowdog (Curate) on Mar 11, 2010 at 12:44 UTC
perldoc perl595delta says When perl is run under taint mode, printf() and sprintf() will now reject any tainted format argument.	[reply]
Re^2: Taint, CGI and perl 5.10 by nextguru (Scribe) on Mar 11, 2010 at 02:15 UTC
I will try to cut the code down to the smallest instance where the problem still occurs and repost in a bit. Essentially the problem is this: using perl 5.8 code working with taint mode turned on, file name comes from user, untainted by code and tainted information written to file successfully. upgrade to 5.10 code now broken with 'insecure dependency...' error only way to fix is to untaint the information written to the file. Nothing else changed. I pass a file handle and the tainted information to a subroutine that does the output. I don't know if that makes a difference. Back in a bit with code sample.	[reply]
Re^3: Taint, CGI and perl 5.10 by ikegami (Patriarch) on Mar 11, 2010 at 03:17 UTC
The above does exactly what you said except it gives no error with 5.10.0.	[reply]