Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

taint checking and @INC

by coolmichael (Deacon)
on Jul 19, 2001 at 09:01 UTC ( #97987=perlquestion: print w/replies, xml ) Need Help??
coolmichael has asked for the wisdom of the Perl Monks concerning the following question:

I've read perlsec. I didn't see anything in the sections about taint checking that mentioned how @INC changes with -T. I read in CGI Programming with Perl on page 210 that the PATH must be secure and ./ isn't included in the PATH, because they can be modified by their owner.

I'm wondering how much of a security risk is it to do this:

#!perl -Tw ... use lib '.';
in a CGI script? Will Perl even let me do that?

Replies are listed 'Best First'.
Re: taint checking and @INC
by HyperZonk (Friar) on Jul 19, 2001 at 09:15 UTC
    $ENV{PATH} is tainted because it is obtained from "outside" your program. In taint mode, you can't use something from outside your program to affect something else outside your program. Your '.' is explicitly defined within your program, it is not obtained from an outside source (such as a file, an environment variable, or STDIN). Also, use lib is not attempting to affect something outside of the program, it is changing where the program looks for modules. Because of both, this is taint-free (I'm sure about the first part, and pretty sure about the second).

    Note that there are a few kinds of data obtained from outside the program that are not tainted. See perlsec for details.
Re: taint checking and @INC
by LD2 (Curate) on Jul 19, 2001 at 09:06 UTC
    coolmichael, you may want to check this site out: CGI/Perl Taint Mode FAQ - mainly the section named - How do I fix problems with require or use statements in taint mode?

    From this FAQ, I believe you can do this:
    use lib qw(.);
(tye)Re: taint checking and @INC
by tye (Sage) on Jul 19, 2001 at 19:39 UTC

    I see no problem with adding "use lib '.';" provided you:

    • preceed it by BEGIN { chdir("/abs/path") or die "Can't chdir to /abs/path: $!\n" }
    • be very careful to prevent "others" from getting "write" access to /abs/path
    This last item could even involve checking the permissions on the directory from within the script.

            - tye (but my friends call me "Tye")

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://97987]
Approved by root
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2017-09-25 23:44 GMT
Find Nodes?
    Voting Booth?
    During the recent solar eclipse, I:

    Results (291 votes). Check out past polls.