[tpm] Irritation problem

Chris Jones cj at enersave.ca
Fri Apr 6 18:11:42 PDT 2012


Uri
Thanks again for your help.  I have one question about untainting 
then files before opening.

Would not the split untaint the data:
my( $key, $value ) = split /\t/ ;

As long as there is no bad characters in the data that should untaint it?
Again the input config file contains:
infilename      ../input
outfilename     ../output

If I use:
my $outfilename = "$confighash{outfilename}";
my $modfilename = "$outfiilename".".mod";  #add the extension

Would not $modfilename be untainted?

Re lexical file handles.
I have changed all the scripts:
open my $fhIn, "$tool_input/config1.dat" or die "config1.dat not found\n";

my %confighash;

while( <$fhIn> )  {
         s/#.*//;            # ignore comments by erasing them
         next if /^(\s)*$/;  # skip blank lines
         chomp;              # remove trailing newline characters
         my( $key, $value ) = split /\t/ ;
         $confighash{ $key } = $value;
}

Which leads to a question about declaring variable and scope:
my( $key, $value ) = split /\t/ ;

Are these two variables in scope each time through the loop?  That is 
why I declared them outside the while loop in my original version.

Again, thanks for your help!


At 03:47 AM 05/04/2012, you wrote:
>On 04/05/2012 12:58 AM, Chris Jones wrote:
>
>>#Read the config file
>>open INFILE, "../input/config1.dat" or die "config1.dat not found\n";
>
>first off, use lexical file handles, not global bareword handles.
>
>
>>my ($key, $value);
>
>declare vars when first used.
>
>you are using lexicals but i can tell you are not using strict. see 
>why i can tell below.
>
>>my %confighash;
>>
>>while( <INFILE> ) {
>>s/#.*//; # ignore comments by erasing them
>>next if /^(\s)*$/; # skip blank lines
>>chomp; # remove trailing newline characters
>>($key, $value)=split("\t",$_);
>
>my( $key, $value ) = split /\t/ ;
>
>as i said above declare vars when first used. use more horizontal 
>white space for your readers. the first arg to split is always a 
>regex so make it look like one. split's default string input is $_. 
>in general i recommend not using $_ for various reasons but i won't 
>go into them now.
>
>
>>my $outfilename = $confighash{outfilename};
>>my $modfilename = $outfiilename . ".mod"; #add the extension.
>
>look carefully at those two lines. there is a major difference. if 
>you asked perl for help by using strict, perl would have told you 
>the problem. this is why you always use strict in programs big and small.
>
>>open(OUTFILE, ">$modfilename") or &Error_Exit("$modfilename not opened:
>
>don't call subs with &. that is perl4 style and is not required nor 
>desired in perl5.
>
>>$!");
>>
>>Produces an:
>>"Insecure dependency in open while running with -T switch at
>>/cgi-bin/my_script.cgi line 1371
>
>that is because you read data from the outside which is tainted and 
>you didn't untaint it before using it in a file name to be opened. 
>besides that you have the typo i mentioned.
>>
>>Where as:my $outfilename = "hardcode_the_path/filename";
>
>the filename is not coming from the outside so it isn't tainted so no error.
>
>>my $modfilename = $outfiilename . ".mod"; #add the extension
>
>same typo. if this was real code, the file open would work as you 
>opening just '.mod' in the current dir.
>
>>open(OUTFILE, ">$modfilename") or &Error_Exit("$modfilename not opened:
>>$!");
>
>uri
>_______________________________________________
>toronto-pm mailing list
>toronto-pm at pm.org
>http://mail.pm.org/mailman/listinfo/toronto-pm

 >>
Christopher Jones, P.Eng.
Suite 1801, 1 Yonge Street
Toronto, ON M5E1W7
Tel. 416-203-7465
Fax. 416-946-1005
email cj at enersave.ca



More information about the toronto-pm mailing list