[tpm] Taint question

Madison Kelly linux at alteeve.com
Thu Aug 30 07:14:19 PDT 2007

Hi all,

   I've got a script (installer for my app) that I am working on. I am 
trying to do it "the right way", but I have run into a wall with a taint 
problem. Specifically, I am unable to launder a variable in the way that 
is described in 'perldoc perlsec'.

   Specifically (code somewhat simplified for clarity and brevity):

#!/usr/bin/perl -T
$ENV{PATH} = '/bin:/usr/bin';

# MADI: This allows me to develop my modules in the same directory. Move 
# out later.
BEGIN { push @INC, "./"; }

use strict;
use warnings;
use POSIX;
use locale;
use IO::Handle;
use Scalar::Util qw(tainted);

# A bunch of unrelated code...

# Record the current directory.
my $shell_call="pwd";
my $pwd=IO::Handle->new();
open ($pwd, "$shell_call 2>&1 |") || die "Error calling: $shell_call, 
error: $!\n";
my $initial_dir=<$pwd>;
# This is tainted, need to launder.
if ( $initial_dir =~ /^([-\w\/.]+)$/ )
	die "path: [$initial_dir] looks insecure.\n";
my $tainted=tainted($initial_dir);
print __LINE__."; 'tainted': [$tainted]?\n";

   This returns true all the time, and trying to use 'chdir' later based 
in part on '$initial_dir' causes the expected error:

Insecure dependency in chdir while running with -T switch at ./install 
line 323

   Anyone here can see what I am missing? This is what I was using as an 
example from 'perldoc perlsec':

Here’s a test to make sure that the data contains nothing but "word" 
characters (alphabetics, numerics, and underscores), a hyphen, an at 
sign, or a dot.

if ($data =~ /^([-\@\w.]+)$/) {
    $data = $1;                     # $data now untainted
} else {
    die "Bad data in ’$data’";      # log this somewhere

   Thanks as always!!


More information about the toronto-pm mailing list