pskiz has asked for the wisdom of the Perl Monks concerning the following question:

i dont understand what is wrong here. i get this error message when trying to run a script that is supposed to create a text file with a name and password in it:

Insecure dependency in open while running with -T switch at /opt2/griffass/httpd/cgi-bin/createUser.cgi line 359.

The code that it is referring to is:

# function to create new user file and print information into it
sub createUserFile
{
    my $theFile = param('user') . ".txt";

    open(NEWFILE, ">$theFile") || die "Can't create $theFile: $!";
    print NEWFILE param('user'), ":", param('pw');
    close(NEWFILE);

    writeCreateSuccess();
}

[download]
any insight is appreciated, thanks.

Janitored by Arunbear - added code tags, as per Monastery guidelines

Replies are listed 'Best First'.
Re: Insecure dependency in open
by Yendor (Pilgrim) on Oct 12, 2004 at 14:26 UTC

    What you're doing inside your createUserFile is grabbing the "user" parameter from your CGI script without checking it. Meanwhile, you're running your script with taint checking on (the -T option). Since you're not doing any kind of checking on the input that you get from the CGI script, the input is considered tainted by default.

    To untaint the user input, do as ccn suggested:

    param('user') =~ /^(\w+)$/
  or die "Bad parameter " . param('user');

my $theFile = "$1.txt";

    [download]

    This will prevent the user from entering some potentially destructive input that will execute an "rm -r /" command on your system.

    -Yendor

    IWeThey
    HOPE Ride

[reply]
[d/l]
Re: Insecure dependency in open
by ccn (Vicar) on Oct 12, 2004 at 14:06 UTC

    perldoc perlsec 

    ...
param('user') =~ /^(\w+)$/
  or die "Bad parameter " . param('user');

my $theFile = "$1.txt";

...

    [download]
[reply]
[d/l]
Re: Insecure dependency in open
by ysth (Canon) on Oct 12, 2004 at 14:11 UTC
    use diagnostics; to get more detailed information on perl's error and warning messages.
[reply]
[d/l]

Back to Seekers of Perl Wisdom