develooper Front page | perl.perl5.porters | Postings from January 2008

Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf"in perl 5.10.0

Thread Previous | Thread Next
Steffen Mueller
January 28, 2008 05:16
Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf"in perl 5.10.0
Message ID:
Steve Hay wrote:
> Run the following program under perl 5.10.0 on Windows XP:
> #!perl -wT
> use strict;
> use warnings;
> use CGI;
> my $tmpfile = new CGITempFile(1);
> print "tmpfile='", $tmpfile->as_string(), "'\n";
> This causes the error:
> Insecure dependency in sprintf while running with -T switch at (eval 2)
> line 6.
> "When perl is run under taint mode, printf() and sprintf() will now
> reject any tainted format argument."
> last if ! -f ($filename =
> sprintf("${TMPDIRECTORY}${SL}CGItemp%d",$sequence++));
> Obviously there are various ways around this (it's currently causing me
> trouble with a Bugzilla system running on 5.10.0, and I've worked around
> the problem by just commenting-out the unshift() line above so that the
> tainted value is not a candidate), but I'm not sure what a good
> permanent fix would be.

it seems to me that this would have to be fixed in CGITempFile because
the error is probably genuine.

How about changing the sprintf call to this (untested, but well...):

sprintf("\%s${SL}CGItemp%d", $TMPDIRECTORY, $sequence++)

The warning is about tainted stuff in the _format_, so this should fix
the issue.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About