taint checking and @INC

coolmichael has asked for the wisdom of the Perl Monks concerning the following question:

I've read perlsec. I didn't see anything in the sections about taint checking that mentioned how @INC changes with -T. I read in CGI Programming with Perl on page 210 that the PATH must be secure and ./ isn't included in the PATH, because they can be modified by their owner.

I'm wondering how much of a security risk is it to do this:

#!perl -Tw
...
use lib '.';
[download]

in a CGI script? Will Perl even let me do that?

Comment on taint checking and @INC Download Code

Replies are listed 'Best First'.
Re: taint checking and @INC by HyperZonk (Friar) on Jul 19, 2001 at 09:15 UTC
$ENV{PATH} is tainted because it is obtained from "outside" your program. In taint mode, you can't use something from outside your program to affect something else outside your program. Your '.' is explicitly defined within your program, it is not obtained from an outside source (such as a file, an environment variable, or STDIN). Also, `use lib` is not attempting to affect something outside of the program, it is changing where the program looks for modules. Because of both, this is taint-free (I'm sure about the first part, and pretty sure about the second). Note that there are a few kinds of data obtained from outside the program that are not tainted. See perlsec for details.	[reply] [d/l]
Re: taint checking and @INC by LD2 (Curate) on Jul 19, 2001 at 09:06 UTC
coolmichael, you may want to check this site out: CGI/Perl Taint Mode FAQ - mainly the section named - How do I fix problems with require or use statements in taint mode? From this FAQ, I believe you can do this: `use lib qw(.);` [download]	[reply] [d/l]
(tye)Re: taint checking and @INC by tye (Sage) on Jul 19, 2001 at 19:39 UTC
I see no problem with adding "use lib '.';" provided you: preceed it by `BEGIN { chdir("/abs/path") or die "Can't chdir to /abs/path: $!\n" }` be very careful to prevent "others" from getting "write" access to /abs/path This last item could even involve checking the permissions on the directory from within the script. - tye (but my friends call me "Tye")	[reply] [d/l]