http://qs321.pair.com?node_id=467417

kyoshu has asked for the wisdom of the Perl Monks concerning the following question:

in one of mine scripts i use File::Slurp and i'm not sure if it is safe to use it for writting/appending to file without checking user entered data?

example of code:

use strict;
use CGI;
use File::Slurp;
my $somedata = $q->param('somedata');
write_file('somefile.txt',{append=>1},$somedata);
...

Replies are listed 'Best First'.
Re: is it safe to use File::Slurp?
by Limbic~Region (Chancellor) on Jun 16, 2005 at 22:59 UTC
    kyoshu,
    I meant to respond to this earlier but I got busy and assumed someone would say the same thing anyway. Since you have a hardcoded file name and aren't using user data to construct it, you are more safe than you would have been otherwise. It is up to you to figure out if writing/appending to a file is safe or not.

    In otherwords, if the file they are writing to is executed then it is very dangerous. This doesn't have anything to do with File::Slurp though. There are a myriad of reasons it might be dangerous to allow the write without checking it first but that's for you to decide. If you want to tell us how the data that is written to the file is used, we might be able to list all kinds of evil things you might want to check for.

    Cheers - L~R

Re: is it safe to use File::Slurp?
by samtregar (Abbot) on Jun 16, 2005 at 22:22 UTC
    Looking at the code for File::Slurp I'm stunned by how complicated it is. I have absolutely no idea if it's safe or not!

    Why not just open() the file yourself and write to it? I can guarantee that's safe as long as you don't use any user input to construct your filenames.

    -sam

Re: is it safe to use File::Slurp?
by sh1tn (Priest) on Jun 16, 2005 at 20:36 UTC
    In this case the lack of tainted variables check does not have anything to do with File::Slurp.
    $somedata will be interpolated and then the result will be given to write_file.