develooper Front page | perl.beginners | Postings from August 2009

Taint mode & user supplied file names

Thread Next
Tim Bowden
August 24, 2009 05:18
Taint mode & user supplied file names
Message ID:
#!/usr/bin/perl -wT
use strict;

my $filename = shift @ARGV;

if (-f $filename){
  open OUT, "> $" or die "can't open $ $!";
  print OUT "are we safe?\n";
  close OUT;

This dies with "Insecure dependency in open while running with -T
switch" as expected.  I'd like to know if having passed the -f test, is
is safe to do no other checking on the file name if all I'm going to use
it for is to append a new extension on the file name (in addition to any
extension that may already be there)?  Would that be safe on all (or
any) platforms?  Are there any other checks I should be doing on the
file name before untainting it?

Tim Bowden

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About