develooper Front page | perl.beginners | Postings from August 2009

Taint mode & user supplied file names

Thread Next
From:
Tim Bowden
Date:
August 24, 2009 05:18
Subject:
Taint mode & user supplied file names
Message ID:
1251116248.4306.19.camel@mordor
#!/usr/bin/perl -wT
use strict;

my $filename = shift @ARGV;

if (-f $filename){
  open OUT, "> $filename.new" or die "can't open $filename.new: $!";
  print OUT "are we safe?\n";
  close OUT;
}

This dies with "Insecure dependency in open while running with -T
switch" as expected.  I'd like to know if having passed the -f test, is
is safe to do no other checking on the file name if all I'm going to use
it for is to append a new extension on the file name (in addition to any
extension that may already be there)?  Would that be safe on all (or
any) platforms?  Are there any other checks I should be doing on the
file name before untainting it?

Thanks,
Tim Bowden


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About