http://www.perlmonks.org?node_id=1018073


in reply to How to safely define a CGI program's application base directory

Just use the standard laundering technique (see perlsec):
my $app_base = $ENV{AppBase}; if ($app_base =~ m{^(/var/www/[^/]+)$}) { $app_base = $1; # $app_base no longer tainted. } my $logfile = catdir($app_base, 'mylogfile');
لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ

Replies are listed 'Best First'.
Re^2: How to safely define a CGI program's application base directory
by ddmiller (Initiate) on Feb 10, 2013 at 21:47 UTC

    Thank you for taking time to reply. That might work in some environments, but it assumes that all of the servers use the same path prefix (/var/www). I don't believe that's true in our case. I suppose I could include a note in the installation instructions that the application name must be the final directory element in the AppBAse environment variable. Then I could use a regular expression something like this:

    m{^(/.+/MyApp/)$}

    That should be sufficient to satisfy the untainting requirement, but I'm not sure whether it really makes the value "safe". Thanks again for responding so quickly.

      What threat are you trying to avoid? It is upon you to tell what is safe. If you know there are three possible values, you can try something like
      m{^(/path1|/path2|/path3)/MyApp$}
      Someone can still tweak the config to point to a wrong path (valid for a different server). You can even include other conditions into the if, not only the single match.
      لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ