http://www.perlmonks.org?node_id=121149

elbie has asked for the wisdom of the Perl Monks concerning the following question:

I'm just starting to play around with the taint -T switch in some of my programs, and I'm trying to figure out what gets marked as taintet, and what doesn't.

One thing that I am puzzled over is the behaviour of the glob angle brackets. I have an extremely simple example that complains Insecure dependency in glob while running with -T switch at ./taintglob.pl line 5.

#! /usr/bin/perl -wT use strict; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; my @entries = </var/www/htdocs/*.html>;

Seems straightforward enough. I found an old node that seems related, and in fact the parent node (as well as perlsec)indicates that this is supposed to happen (in perl 5.005_3, at least, which I am using).

So how do I get around this? File::Glob doesn't seem to exist for 5.5. Is there another module I can use? Am I missing something?

elbieelbieelbie

Replies are listed 'Best First'.
Re: Newbie Tainted glob question
by chipmunk (Parson) on Oct 24, 2001 at 20:42 UTC
    You could use readdir instead. It's a bit verbose relative to using glob, but it works.
    #!/usr/bin/perl -wT use strict; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; my $dir = '/var/www/htdocs'; opendir(DIR, $dir) or die "Can't opendir $dir: $!\n"; my @entries = map { /\.html\z/ ? "$dir/$_" : () } readdir(DIR); closedir(DIR);
    The map is doing two things here: grabbing only the files that end in .html, and prepending the path to mimic the behavior of the glob.
Re: Newbie Tainted glob question
by tachyon (Chancellor) on Oct 24, 2001 at 20:43 UTC

    You can get around using glob like this:

    my $dir = '/var/www/htdocs/'; opendir DIR, $dir or die "Can't open dir $dir $!\n"; my @entries = grep { /\.html$/ } readdir DIR; closedir DIR; print "@entries";

    This said you generally need to set $ENV{'PATH'} to a known safe value to pacify taint with a line like:

    $ENV{'PATH'} = '/bin:/usr/bin';

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Re: Newbie Tainted glob question
by Albannach (Monsignor) on Oct 24, 2001 at 20:35 UTC
    I don't have 5.005 handy for testing but perhaps this will work:
    opendir(DIR, '/var/www/htdocs') or die $!; my @entries = grep{/.*\.html$/} readdir(DIR); closedir(DIR);
    Update: or do this properly as chipmunk suggests (my die was also added later - you'd think I'd learn to be more careful when pasting from a 1-liner test...)

    --
    I'd like to be able to assign to an luser

Re: Newbie Tainted glob question
by DamnDirtyApe (Curate) on Oct 25, 2001 at 02:30 UTC

    I tried running elbie's code with Perl 5.6.1, and I got the following error:

    Too late for "-T" option at taint.pl line 1.

    I got the same error on Windows and BSD. Can someone please explain what's with this?

    _______________
    DamnDirtyApe
    Home Node | Email
      I suspect that it's not as complicated as all that NT specific stuff blakem mentions, if the problem is happening on BSD as well.

      If you're invoking the script as 'perl taint.pl', then the switches in your hashbang line aren't being executed as early on as they possibly could be.

      Assuming this is the case, you have two options (at least on BSD):

      Invoke it as 'perl -T taint.pl', or make the script executeable and invoke it as './taint.pl'

      Have fun!

      elbieelbieelbie

        Yup, a simple matter of adding the -T to the command line.

        Something struck me as a little odd there, so I played around and discovered that warnings don't follow the same rule -- warnings can be turned on or off from the shebang without appearing on the command line. So, is -w the only option to which this applies?

        (Not that it matters much; I always use use strict; use warnings; use diagnostics;, but I'm curious to know how it works.)

        _______________
        DamnDirtyApe
        Home Node | Email