Insecure dependency

hotshot has asked for the wisdom of the Perl Monks concerning the following question:

Morning! (at least where I come from)

A weird thing, while runing the following code:

sub mySub {                                             # 200
                                                        # 201
  my $file = shift;                                     # 202
  open(FILE, ">$file") or warn "Can't open $file: $!";  # 203
       # do stuff
       close(FILE);
     }

&mySub($filename);
[download]

I got: Insecure dependency in open while runing with -T switch ....in line 203
The thing is that I don't run perl with the -T switch and I can't find out why this happened here.
anyone to the rescue?

Hotshot

Comment on Insecure dependency Download Code

Replies are listed 'Best First'.
Re: Insecure dependency by davis (Vicar) on Dec 17, 2001 at 14:53 UTC
Is the script setuid? Perl automatically jumps into taint mode when setuid'ing. davis	[reply]
Re: Re: Insecure dependency by hotshot (Prior) on Dec 17, 2001 at 14:59 UTC
that is the answer, the script is indeed setuid, I'll check that. thanks Hotshot	[reply]
Re: Re: Re: Insecure dependency by Beatnik (Parson) on Dec 17, 2001 at 18:36 UTC
Ofcourse un-setuid'ing the script wont fix any security holes you might have. Closing a file that's not open is probably not a very smart thing. Many brothers here think it would be wise to keep taint checking on and just secure your code a bit. See perlsec for some more hints. Greetz Beatnik ... Quidquid perl dictum sit, altum viditur.	[reply]
Re: Insecure dependency by mortis (Pilgrim) on Dec 17, 2001 at 19:59 UTC
Also, (I don't think this has been mentioned yet) line 203 is most likely generating the taint error because $file is tainted (i.e. it's value was obtained from outside the program). For methodologies on untainting data, I'd recommend man perlsec.	[reply]