Hi Angie,
it's a while since I've looked at this, so no warranty.
On Thursday 15 Apr 2004 12:55 pm, Angie Ahl wrote:
> Hi everyone.
>
> I'm trying to work out how to untaint a path to passed to modules.
>
> eg/stupidly/long/path/here
>
> contains the folders perl and html
>
> I want to be able the get the following ENV var from apache like so:
>
> local our $HTMLPath = $ENV{HTML_TEMPLATE_ROOT};
$HTMLPath is tainted because $ENV{HTML_TEMPLATE_ROOT} is tainted.
You need to untaint $HTMLPath by amending it somehow. A common method is to
use a regex to remove 'dodgy' characters, such as ~ and % or '../' which
could be used to jump to another part of your system.
The result would be a untainted $HTMLPath.
>
> And pass it to a module so it can be used to create directories/files
> etc in.
>
> I get the following error (OS X Panther BTW):
>
> Insecure dependency in mkdir while running with -T
>
> obviously I'm not going to turn taint checks off ;) If I set the path
> explicitly mkdir works fine, but that's not very moduler is it;)
>
> Found this in the perldocs, but I don't understand it:
>
> $ENV{'PATH'} = '/bin:/usr/bin';
> delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
> $path = $ENV{'PATH'}; # $path now NOT tainted
Here, you're setting $ENV{'PATH'} to a specific value ('/bin:/usr/bin') and
therefore untainting it. $path is untainted because $ENV{'PATH'} is
untainted.
The delete is simply getting rid of variables that you don't want/need, but
has no effect whatsoever on $ENV{'PATH'}.
>
> Am I going in the right direction? Can anyone give me a clue as to what
> the above actually does. I assume the delete function removes those
> items from ENV, but how does that make it untainted? Makes no sense to
> me.
>
> Cheers
>
> Angie
--
Gary Stainburn
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
