Home > Archive > PERL CGI Beginners > January 2005 > RE: Insecure dependency in glob ... with -T switch
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
RE: Insecure dependency in glob ... with -T switch
|
|
| David Gilden 2005-01-17, 8:55 pm |
| Hi,
The code below works fine if run like:
using PERL version 5.00503
----
#!/usr/bin/perl -w
but with
#!/usr/bin/perl -wT=20
I am still getting error: Insecure dependency in glob while running with -T=
switch
Can I turn off 'tainting' for this block=20
{
# turn off taint for this block only
opendir(DR,"./");
my @filesToRemove =3D grep {$_ =3D~ /^(\w[\w.-]*)/} readdir DR;
closedir DR;
foreach my $fr (@filesToRemove) {
print "Deleting $fr<br>\n";
unlink($fr) or die "Couldn't Delete $fr $!";
}
}
Is there anyway around this, I can't upgrade the version of PERL it out my =
hands.
Thx,
Dave
(kora musician / audiophile / webmaster @ www.coraconnection.com / Ft. Wor=
th, TX, USA)
| |
| Zentara 2005-01-19, 8:55 am |
| On Mon, 17 Jan 2005 14:54:58 -0600, dowda@coraconnection.com (David
Gilden) wrote:
>Hi,
>The code below works fine if run like:
>
>using PERL version 5.00503
>
>----
>#!/usr/bin/perl -w
>
>but with
>#!/usr/bin/perl -wT
>
>I am still getting error: Insecure dependency in glob while running with -T switch
>
>Can I turn off 'tainting' for this block
>
>{
># turn off taint for this block only
>
>opendir(DR,"./");
>my @filesToRemove = grep {$_ =~ /^(\w[\w.-]*)/} readdir DR;
>closedir DR;
>
>foreach my $fr (@filesToRemove) {
>
>print "Deleting $fr<br>\n";
>unlink($fr) or die "Couldn't Delete $fr $!";
>}
>
>}
>
>
>Is there anyway around this, I can't upgrade the version of PERL it out my hands.
I don't know much about early Perl versions, but since no one else
answered you, I will give it a shot.
What "taint error" are you getting? Is it
"Insecure $ENV{PATH}"
or something else.
Taint mode can be circumvented pretty easily, but you need to be
careful. Read perldoc perlsec.
You probably either need to change $ENV{PATH} to '.' , or the cwd.
You may need to give it a full pathname.
Or you may need to run somethings thru a "dumb regex", which will
satisfy the taint checking. It's a dirty hack, but you can do
sub untaint_me{
my $in = shift;
$in =~ /(.*)/;
return $1;
}
--
I'm not really a human, but I play one on earth.
http://zentara.net/japh.html
| |
| Scott R. Godin 2005-01-21, 8:55 am |
| Zentara wrote:
> On Mon, 17 Jan 2005 14:54:58 -0600, dowda@coraconnection.com (David
> Gilden) wrote:
> Taint mode can be circumvented pretty easily, but you need to be
> careful. Read perldoc perlsec.
>
> You probably either need to change $ENV{PATH} to '.' , or the cwd.
> You may need to give it a full pathname.
>
> Or you may need to run somethings thru a "dumb regex", which will
> satisfy the taint checking. It's a dirty hack, but you can do
>
> sub untaint_me{
> my $in = shift;
> $in =~ /(.*)/;
> return $1;
> }
>
which totally obviates the whole reason for using the -T switch to begin
with, but anyway...
--
Scott R. Godin
Laughing Dragon Services
www.webdragon.net
|
|
|
|
|