Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW

Should non-filename glob() results still be tainted?

by kcott (Bishop)
on Jan 10, 2021 at 02:13 UTC ( #11126684=perlquestion: print w/replies, xml ) Need Help??

kcott has asked for the wisdom of the Perl Monks concerning the following question:

The documentation for glob() has:

"If non-empty braces are the only wildcard characters used in the glob, no filenames are matched, ..."

In "perlsec: Taint mode", the long list of examples has (near the end):

@files = <*.c>; # insecure (uses readdir() or similar) @files = glob('*.c'); # insecure (uses readdir() or similar) # In either case, the results of glob are tainted, since the list of # filenames comes from outside of the program.

I'm an extremely infrequent user of glob(); however, I thought it could be useful in a test I was writing yesterday. The code looked something like this:

#!perl -T use 5.032; use warnings; ... my @prefixes = qw{...}; my @suffixes = glob '{,x}{,y}{,z}'; ... for my $prefix (@prefixes) { for my $suffix (@suffixes) { my $name = join '_', $prefix, split //, $suffix; # run is(...) test with $name here } }

I got a "tainted" message. This code fixed it:

my $tainted_name = join '_', $prefix, split //, $suffix; $tainted_name =~ /^(.+)$/; my $name = $1; # run is(...) test with $name here

I'm wondering if not tainting the values returned by a non-filename glob() would be a useful enhancement to Perl. I throw this open for discussion.

— Ken

Replies are listed 'Best First'.
Re: Should non-filename glob() results still be tainted?
by Corion (Pope) on Jan 10, 2021 at 09:40 UTC

    >The problem is that a crafty user can still subvert your code by creating files that match, while you expected Cartesian Products to deliver. Taint mode prefers to err on caution, so you would need to either disable taint mode or untaint your glob results.

      G'day Corion,

      "... subvert your code by creating files that match ..."

      Is the documentation wrong? It says "... no filenames are matched ..." (in the scenario that I presented).

      Perhaps some undocumented mechanism is in play of which I'm unaware. Could you expand on your answer?

      — Ken

        Hmm - no, it seems you are correct. I didn't know that (and hadn't read the documentation)!

Re: Should non-filename glob() results still be tainted?
by LanX (Cardinal) on Jan 10, 2021 at 03:09 UTC
    Sorry! Never mind, see update :)

    This is one of the more confusing DWIM parts in Perl, and from time to time I get bitten by those heuristics.

    I'd rather prefer to have another syntax for creating combinations, like

    xglob '{,x}{,y}{,z}'

    which never does a readdir and is not subject to taint.


    Never mind, I actually meant the duality of the <diamond> operator, and readline and glob already fix this mostly.

    Cheers Rolf
    (addicted to the Perl Programming Language :)
    Wikisyntax for the Monastery

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11126684]
Approved by GrandFather
Front-paged by haukex
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (2)
As of 2021-01-22 00:14 GMT
Find Nodes?
    Voting Booth?