[tpm] Irritation problem

Uri Guttman uri at stemsystems.com
Thu Apr 5 00:47:54 PDT 2012 

On 04/05/2012 12:58 AM, Chris Jones wrote:

> #Read the config file
> open INFILE, "../input/config1.dat" or die "config1.dat not found\n";
>

first off, use lexical file handles, not global bareword handles.


> my ($key, $value);

declare vars when first used.

you are using lexicals but i can tell you are not using strict. see why 
i can tell below.

> my %confighash;
>
> while( <INFILE> ) {
> s/#.*//; # ignore comments by erasing them
> next if /^(\s)*$/; # skip blank lines
> chomp; # remove trailing newline characters
> ($key, $value)=split("\t",$_);

my( $key, $value ) = split /\t/ ;

as i said above declare vars when first used. use more horizontal white 
space for your readers. the first arg to split is always a regex so make 
it look like one. split's default string input is $_. in general i 
recommend not using $_ for various reasons but i won't go into them now.


> my $outfilename = $confighash{outfilename};
> my $modfilename = $outfiilename . ".mod"; #add the extension.

look carefully at those two lines. there is a major difference. if you 
asked perl for help by using strict, perl would have told you the 
problem. this is why you always use strict in programs big and small.

> open(OUTFILE, ">$modfilename") or &Error_Exit("$modfilename not opened:

don't call subs with &. that is perl4 style and is not required nor 
desired in perl5.

> $!");
>
> Produces an:
> "Insecure dependency in open while running with -T switch at
> /cgi-bin/my_script.cgi line 1371

that is because you read data from the outside which is tainted and you 
didn't untaint it before using it in a file name to be opened. besides 
that you have the typo i mentioned.
>
> Where as:my $outfilename = "hardcode_the_path/filename";

the filename is not coming from the outside so it isn't tainted so no error.

> my $modfilename = $outfiilename . ".mod"; #add the extension

same typo. if this was real code, the file open would work as you 
opening just '.mod' in the current dir.

> open(OUTFILE, ">$modfilename") or &Error_Exit("$modfilename not opened:
> $!");
>

uri

More information about the toronto-pm mailing list