Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

is it safe to use File::Slurp?

by kyoshu (Curate)
on Jun 16, 2005 at 19:47 UTC ( #467417=perlquestion: print w/ replies, xml ) Need Help??
kyoshu has asked for the wisdom of the Perl Monks concerning the following question:

in one of mine scripts i use File::Slurp and i'm not sure if it is safe to use it for writting/appending to file without checking user entered data?

example of code:

use strict;
use CGI;
use File::Slurp;
my $somedata = $q->param('somedata');
write_file('somefile.txt',{append=>1},$somedata);
...

Comment on is it safe to use File::Slurp?
Re: is it safe to use File::Slurp?
by sh1tn (Priest) on Jun 16, 2005 at 20:36 UTC
    In this case the lack of tainted variables check does not have anything to do with File::Slurp.
    $somedata will be interpolated and then the result will be given to write_file.


Re: is it safe to use File::Slurp?
by samtregar (Abbot) on Jun 16, 2005 at 22:22 UTC
    Looking at the code for File::Slurp I'm stunned by how complicated it is. I have absolutely no idea if it's safe or not!

    Why not just open() the file yourself and write to it? I can guarantee that's safe as long as you don't use any user input to construct your filenames.

    -sam

Re: is it safe to use File::Slurp?
by Limbic~Region (Chancellor) on Jun 16, 2005 at 22:59 UTC
    kyoshu,
    I meant to respond to this earlier but I got busy and assumed someone would say the same thing anyway. Since you have a hardcoded file name and aren't using user data to construct it, you are more safe than you would have been otherwise. It is up to you to figure out if writing/appending to a file is safe or not.

    In otherwords, if the file they are writing to is executed then it is very dangerous. This doesn't have anything to do with File::Slurp though. There are a myriad of reasons it might be dangerous to allow the write without checking it first but that's for you to decide. If you want to tell us how the data that is written to the file is used, we might be able to list all kinds of evil things you might want to check for.

    Cheers - L~R

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://467417]
Approved by wazoox
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2014-09-24 01:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (244 votes), past polls