ddmiller has asked for the wisdom of the Perl Monks concerning the following question:
Hello, I am writing an application that will be hosted on several Apache webservers, which may have different directory structures. The application will reference a number of directories and files ("config", "log", "data", etc.) under an application base directory. Since each server's directory structure might be different, though, the pathnames to the base directory will vary from server to server. I thought I would define an environment variable in the Apache configuration that would tell the CGI where to find its base directory, like this:
#!\strawberry\perl\bin\perl.exe use strict; use File::Spec::Functions; my $logfile = catdir($ENV{AppBase}, "mylogfile"); print "opening $logfile ...\n"; open (LOGFILE, ">>$logfile") || die "couldn't open log file \n"; print LOGFILE "test log file line"; close(LOGFILE);
That works fine, until I turn on taint mode. When I turn on taint mode, I get this:
Insecure dependency in open while running with -T switch at MyCgiProg. +pl line 8.
I understand why taint mode doesn't like my code: a malicious (or careless) Apache admin might point that ENV variable to the wrong directory and cause something important to be overwritten.
I'm sure other more seasoned programmers have handled this problem before, and I'd love to hear how you handled it. Thanks in advance for your assistance.
Regards, Darren