DrZaius has asked for the wisdom of the Perl Monks concerning the following question:

Hey, I'm having troubles getting File::Path to run in a script with taint checking.

The values I pass in are taint safe. It seems the values it pulls out of a readdir are not though, as it dies on unlinking a file in a subdirectory of the file I pass in.

Has anyone else had this problem?

Here is a simple script that also has this problem: 

#!/usr/bin/perl -wT

use strict;
use File::Path qw/rmtree mkpath/;

rmtree(untaint_filename($ARGV[0]), 1, 1)
  or die "Could not rmtree $ARGV[0]: $!";

sub untaint_filename {
  my ($filename) = ($_[0] =~ m!^([\w\d\-_/\.]+)$!)
    or die "$_[0] is not safe.";

  return $filename;
}

[download]
Do the following (on unix) to test it: 
mkdir -p blah/blah/blah/blah
touch blah/blah/foo
touch blah/blah/bar
touch blah/blah/blah/foo
touch blah/blah/blah/bar

./test.pl blah

[download]
btw, I'm running perl 5.6.0 on linux with File::Path 1.0403

Replies are listed 'Best First'.
Re: File::Path and Taintedness
by BMaximus (Chaplain) on Jun 23, 2001 at 04:19 UTC
    This appears to be a problem with the File::Path module itself. Not your test program. Somehow within File::Path one of the variables gets insecure (untainted right?). I added the following to the module but I need someone elses opinion to make sure that the change I made isn't seriously dangerous. I added the line: 
    ($root) = $root =~ m!^([\w\d\-_/\.]+)$!;

    [download]
    to the module between the lines 208 and 209 and before line 239. After this was added the test code worked fine.

    BMaximus

    Update: Small diff made to make things easy

    208a209,211
>           
>           ($root) = $root =~ m!^(\w\d\-_/\.+)$!;
> 
232a236,238
> 
>               ($root) = $root =~ m!^(\w\d\-_/\.+)$!;
>
[reply]
[d/l]
Re: File::Path and Taintedness
by bikeNomad (Priest) on Jun 23, 2001 at 04:32 UTC
    The problem is with File::Path; it's unlinking things based on names that it got from readdir, and the output of readdir is tainted.

    Of course, it's unlikely that this is a security hole, but apparently no one has bothered to fix it. It was discussed in the perl porters mailing list back in '98 and '99; you can DejaGoo for (taint File::Path) and find quite a bit of discussion.

[reply]

Back to Seekers of Perl Wisdom