Secure, independent and untainted now - all thanks to me!:)
The $site variable was actually passed in and I guess that could pose a
security risk in that information passed in influences the directory
structure. This is my first experience of Perl's security features - quite
cool, as long as you know what's happening.
Thanks very much Me.
Cheers
Breezy
Me wrote:
> Oops, my response ignores the specific line perl actually complained
> about. ;>
>
> One of the three variables used in the filename itself is tainted.
> I don't know which one because I don't know the rest of your code.
> Same rules as the ones I listed apply.
>
> > > if ( open( FD, "<$Globals::DATA/$site/$Globals::REFTALLY" )) {
> >
> > > #**************Error occurs here (on open)***************
> > > if ( open( FD, ">$Globals::DATA/$site/$Globals::REFTALLY" )) {
> >
> > > Insecure dependency in open while running with -T switch at
> >
> > perl is being run with the -T switch. This means you are running in
> > "taint mode". Taint mode means data that you get from outside
> > your program is untrusted and untrusted data is marked -- "tainted".
> > You can not send tainted data, directly or indirectly, back outside
> > your program. Any data whose value might be affected by tainted
> > data is itself tainted.
> >
> > Solutions:
> >
> > 1. Turn taint checking off. (And your code becomes insecure to the
> > extent that outside data should not be trusted and your use of that
> > data is open to abuse.)
> >
> > 2. Turn tainting off for the FD filehandle. (And your code becomes
> > insecure to the extent that data from that file should not be trusted
> > and your use of that data is open to abuse.) See FileHandle.pm.
> >
> > 3. Process the data to verify it is ok, then untaint it bit by bit as
> > appropriate. (And your code is insecure to the extent that you
> > screw up.)
> >
> > See
> >
> > perldoc perlsec
> >
> > hth
> >
> >
> > --
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
