SilasTheMonk has asked for the wisdom of the Perl Monks concerning the following question:

I am using File::Spec to make a factory method portable as follows: 
sub create {
    my $class = shift;
    require File::Spec;
    my @path = split(/\:\:/,$class);
    my $file = pop @path;
    $file .= ".pm";
    my $fp = File::Spec->catfile(@path, $file);
    require $fp;
    return $class->new(@_);
}

[download]
I am testing this on windows although the code is destined to be a CGI script. The libary could be used in several ways, not just CGI scripts hence the importance of portability. Now when I run my CGI script on windows in taint mode I get the following error: 
Insecure dependency in require while running with -T switch at .... 
[the line "require $fp"]

[download]
Now I am using CGI::Safe so I thought the path should be untainted. I have looked inside the File::Spec module but I cannot actually see where it is going outside the system to look at the filesystem.

Replies are listed 'Best First'.
Re: File::Spec and taint
by Anonymous Monk on Aug 26, 2008 at 21:03 UTC
    Now I am using CGI::Safe so I thought the path should be untainted.

    $fp is tainted

[reply]
      My sincerest apologies to the community but I have found the solution. I did it by debugging and testing for the origin of the taint with Scalar::Util::taint.

      I had forgotten that the input variable $class was tainted because it came from a drop-down menu rather than a text box. In fact before posting I did a search and found a perl Monks node exactly to this effect. I failed to see the connection at the time. Sadly I can no longer find that node. The replies were helpful and broadened my knowledge in other ways.

[reply]
Re: File::Spec and taint
by Anonymous Monk on Aug 26, 2008 at 20:58 UTC
    I have looked inside the File::Spec module but I cannot actually see where it is going outside the system to look at the filesystem.
    perldoc -f require
[reply]

Back to Seekers of Perl Wisdom