[tpm] Irritation problem

Chris Jones cj at enersave.ca
Mon Apr 9 08:43:02 PDT 2012


Thank you Liam.  Having read perldoc perlsec, now for the first time, 
I realize I have not been paying attention at all.  The web 
application has been running on the same Unix server since 2002 and 
it is being moved to a different server.  Apparently this new server 
is doing things correctly and I am trying to catch up.

In the pervious incarnation, I included the name of the cgi script to 
call in the datafile and could not for the life of me understand why 
this wasn't working anymore.  The same with trying to open output 
files.  I could not understand why the only way the file would open 
was if I hard coded the path in the script.

Back to school time.


At 11:48 PM 06/04/2012, Liam R E Quin wrote:
>On Fri, 2012-04-06 at 21:11 -0400, Chris Jones wrote:
> > Uri
> > Thanks again for your help.  I have one question about untainting
> > then files before opening.
> >
> > Would not the split untaint the data:
> > my( $key, $value ) = split /\t/ ;
>
>No.
>
>The only ways to untaint data are to use them as keys in a hash (so $key
>is OK here, but $value is not) or to pick them out of a regular
>expression match with $1, $2, etc.
>The point of marking input data as tainted is so you can catch things
>like,
>my ($filename, $info) = split;
>system("ls $filename");
>and have filename be "/etc/group;reboot;" or something
>
>see "perldoc perlsec" for more info.
>
> >
> > As long as there is no bad characters in the data that should untaint it?
> > Again the input config file contains:
> > infilename      ../input
> > outfilename     ../output
> >
> > If I use:
> > my $outfilename = "$confighash{outfilename}";
> > my $modfilename = "$outfiilename".".mod";  #add the extension
> >
> > Would not $modfilename be untainted?
>no. Also watch for the two i's in outfiilename.
>
>The general principle is that data from outside your program cannot be
>trusted (whereas data from inside your program _probably_ shouldn't be
>trusted :-)) and untrusted data must never be allowed to affect the
>world outside your program.  Yes, your data file might be safe, but what
>if it wasn't? How does Perl know?
>
>[...]
> > Which leads to a question about declaring variable and scope:
> > my( $key, $value ) = split /\t/ ;
> >
> > Are these two variables in scope each time through the loop?  That is
> > why I declared them outside the while loop in my original version.
>
>They are in scope, yes -- but if you have
>
>while ($sun_shines) {
>     my $cider = split;
>     . . .
>}
>
>then there's a new $cider made each time around the loop.
>
>Hope that helps.
>
>Liam
>
>--
>Liam Quin - XML Activity Lead, W3C, http://www.w3.org/People/Quin/
>Pictures from old books: http://fromoldbooks.org/

 >>
Christopher Jones, P.Eng.
Suite 1801, 1 Yonge Street
Toronto, ON M5E1W7
Tel. 416-203-7465
Fax. 416-946-1005
email cj at enersave.ca



More information about the toronto-pm mailing list