Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: How to safely define a CGI program's application base directory

by Dallaylaen (Scribe)
on Feb 11, 2013 at 13:19 UTC ( #1018135=note: print w/ replies, xml ) Need Help??


in reply to How to safely define a CGI program's application base directory

If your app is itself located under AppBase, you could use dirname() and __FILE__ which are taint-free:

#!/usr/bin/perl -wT

use strict;

my $basedir;
use File::Basename qw(dirname);
BEGIN { $basedir = dirname(dirname(__FILE__)) };
use lib $basedir.'/lib';

use YAML; # Dummy - use fails if @INC is tainted
print "File = ", __FILE__, "\n";
print "Lib = @INC\n";
If that's not the case, I would just assume AppBase is always fine and "untaint" it through some regular expression (preferably with a comment why I did so).


Comment on Re: How to safely define a CGI program's application base directory
Re^2: How to safely define a CGI program's application base directory
by Dallaylaen (Scribe) on Feb 11, 2013 at 13:58 UTC

    BTW, on a *NIX system one can put rubbish into __FILE__ via

    % ln -s myscript.pl evil-char-sequence.pl
    Not as simple as 'SOMEVAR=evil-char-sequence ./myscript.pl', but still possible (but an unlikely attack vector, and not available to a remote attacker).
      If attacker has access to filesystem (or %ENV) the game is already over , nothing to worry about :)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1018135]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (8)
As of 2014-10-24 07:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (130 votes), past polls