Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

FindBin and Tainted

by mikkoi (Sexton)
on Aug 14, 2020 at 09:36 UTC ( #11120715=perlquestion: print w/replies, xml ) Need Help??

mikkoi has asked for the wisdom of the Perl Monks concerning the following question:

I have the following code:

use strict; use warnings; use FindBin 1.51 qw( $RealBin ); use lib "$RealBin/../lib"; use MyLib;

when I run it with Perl 5.28.1 as perl -T ./bin/perl-taint.pl I get the following error:

Insecure dependency in require while running with -T switch at ./bin/p +erl-taint.pl line 7. BEGIN failed--compilation aborted at ./bin/perl-taint.pl line 7.

FindBin operates in BEGIN section, so how - if possible - can I untaint the path?

Replies are listed 'Best First'.
Re: FindBin and Tainted
by kcott (Bishop) on Aug 14, 2020 at 10:25 UTC

    G'day mikkoi,

    You'll find a lot of information about taint mode in perlsec. In particular, for your problem, look at the "Laundering and Detecting Tainted Data" section. Here's a version of the regex solution, shown in that section, for your specific problem:

    $ cat ../lib/MyLib.pm package MyLib; our $VERSION = '1.23'; 1; $ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib "$RealBin/../li +b"; use MyLib; print $MyLib::VERSION;' Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted at -e line 1. $ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/.. +/lib" =~ /^([\$\w\/.]+)$/ && $1]}; use MyLib; print $MyLib::VERSION;' 1.23

    Update (minor code improvement): Just after posting, I realised you don't actually need the ' && $1' part:

    $ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/.. +/lib" =~ /^([\$\w\/.]+)$/]}; use MyLib; print $MyLib::VERSION;' 1.23

    — Ken

      The problem is that FindBin does its magic inside a BEGIN segment. Otherwise the variable wouldn't be useable in command lib which also operates within BEGIN segment.

Re: FindBin and Tainted
by haj (Deacon) on Aug 14, 2020 at 10:36 UTC

    You can apply the usual untainting mantra by also using a BEGIN section:

    use strict; use warnings; use FindBin 1.51 qw( $RealBin ); BEGIN { ($RealBin) = $RealBin =~ /(.+)/; } use lib "$RealBin/../lib"; use MyLib;

    Of course, you need to trust your installation to not mess with the current working directory (because this is why $RealBin comes out tainted in the first place).

      This works. But is there any way to do the same without using the same $RealBin variable (which belongs to FindBin)?

        Sure, you can use a copy, to be declared outside of the BEGIN block:

        use strict; use warnings; use FindBin 1.51 qw( $RealBin ); my $untainted_bin; BEGIN { ($untainted_bin) = $RealBin =~ /(.+)/; } use lib "$untainted_bin/../lib"; use MyLib;

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11120715]
Approved by kcott
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2020-09-18 23:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    If at first I donít succeed, I Ö










    Results (113 votes). Check out past polls.

    Notices?