Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Using relative paths with taint mode

by hippo (Bishop)
on Jun 19, 2021 at 18:12 UTC ( [id://11134033]=note: print w/replies, xml ) Need Help??


in reply to Using relative paths with taint mode

Is this the correct way to load a relative module under taint mode?

It is a way but TIMTOWTDI, as usual. Where you are coming unstuck (AFAICT) is that you are not untainting $Bin between lines 5 and 6.

🦛

  • Comment on Re: Using relative paths with taint mode

Replies are listed 'Best First'.
Re^2: Using relative paths with taint mode
by Bod (Parson) on Jun 19, 2021 at 18:39 UTC

    Thanks hippo
    I thought $Bin (or any variable) could only be untainted through a regular expression. Is it something in lib that will be untainting it?

    edit: Sorry - I misread hippo's comment...my befuddled brain skipped over the word not.

[reply]
[d/l]
      I thought $Bin (or any variable) could only be untainted through a regular expression.

      Correct. (Well, not quite. But I don't see how the other way documented in perlsec - see also Re: When not to use taint mode - could do anything to improve security.)

      Is it something in lib that will be untainting it?

      No, and lib would be the wrong place for automatic untainting. How should lib know which paths are secure and which ones aren't? How should lib know which string is a valid path, and which is not? At least lib would have to accept a regular expression to validate and untaint paths. (This is what File::Find does for the untaint and untaint_pattern options.)

      Note the wording in the previous paragraph: a regular expression to validate and untaint. You don't just want to blindly untaint. You want to validate the input. Untainting of the input is just a welcome side effect of the validation.

      By the way: you generally want a positive rule, describing how valid input looks like. You don't want negative rules that forbid invalid inputs. Simply because it is too easy to forget some invalid input.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]
        You don't just want to blindly untaint. You want to validate the input.

        That makes sense...thanks

        So, would a sensible approach be to check that $Bin resembles one of the places I expect it to be run from?
        Something like this (untested): 

        #!/usr/bin/perl -T

use CGI::Carp qw(fatalsToBrowser);

use FindBin qw($Bin);

if ($Bin =~ /^(\/home\/someuser\/somewebsite\/\w{2,4}\/cgi-bin)/) {
    $Bin = $1;
}

use lib "$Bin";
use Site::HTML;

use strict;
use warnings;

        [download]
        The \w{2,4} allows for the different subdomains used for development, testing, etc.

        I don't recall seeing anything like that in any other Perl code I've seen that uses FindBin and lib so I'm guessing there is a better way to do it...

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11134033]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (4)
As of 2024-04-24 11:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found