Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Getting To Grips With Taint - And Picking Up Files

by Anonymous Monk
on Sep 30, 2002 at 15:40 UTC ( [id://201745]=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Peeps,

I have wrote the code below to pick up files in the /var/log/accounts directory and put them into variables to that i can mess around with them. It seems to work fine, but i would like to impliment Tainting on this script, and it doesn't seem to work.

If anybody has a better, cleaner and taintable way of doing what i am trying to do, PLEASE HELP ME!! 
#! /usr/bin/perl -wT

use strict;
use warnings;

# grab details from files

my ($file, $account);
my @file = `ls /var/log/accounts/`;
foreach $file (@file) {
  chomp  $file;
  $file = "/var/log/accounts/$file";
  open(FILE, "<$file") || die;
  my @account=<FILE>;
  close(FILE);
  foreach $account (@account) {
  chomp $account;
my ($fullname,$username,$password,$domain,$service,$email,$updates,$ip
+addr) = split(/,/, $account);

[download]
Thanks

Replies are listed 'Best First'.
Re: Getting To Grips With Taint - And Picking Up Files
by zigdon (Deacon) on Sep 30, 2002 at 16:00 UTC
    It seems to work fine, but i would like to impliment Tainting on this script, and it doesn't seem to work.

    What does this mean? Is there an error generated? Without any more info, I'll just shoot in the dark and guess that it says that you have an insecure PATH. To fix that, just add this line to the beginning of the program:

    $ENV{PATH}='/bin:/usr/bin'; # wherever your ls exec lives

    [download]

    If that's not the problem, share the error message with us, and we'll probably be able to help. You can also try looking up the error in perldiag.

    -- Dan

[reply]
[d/l]
      Thats fixed it. Cheers Is the method i am using ok? I'm just wondering if there is a better, more solid way of doing this? I am trying to keep clear of adding perl modules as my sysadmin doesn't allow it, but i think we are on perl 5.6.something so i am not sure what modues are included with that release. Thanks
[reply]
      i just added what you suggested and now i get
      Insecure $ENV{BASH_ENV} while running with -T switch at ./add
[reply]

        Ok, that helps - try setting $ENV{BASH_ENV} then to the same path, or just to an empty string, and use the full path to ls:

        $ENV{BASH_ENV} = '';
my @files = `/bin/ls`;

        [download]

        -- Dan

[reply]
[d/l]
Re: Getting To Grips With Taint - And Picking Up Files
by rdfield (Priest) on Sep 30, 2002 at 15:53 UTC
    You could try using File::Find instead of the backticked ls. I guess you'd have to run each line of @accounts through a filtering regex too. Read perlsec for more info.

    rdfield

[reply]
Re: Getting To Grips With Taint - And Picking Up Files
by tommyw (Hermit) on Sep 30, 2002 at 16:33 UTC

    foreach $file (glob '/var/log/accounts/*') { will allow you to remove 3 lines of code, including that pesky ls

    --
    Tommy
    Too stupid to live.
    Too stubborn to die.

[reply]
[d/l]
[select]
Re: Getting To Grips With Taint - And Picking Up Files
by samurai (Monk) on Sep 30, 2002 at 17:08 UTC
    File::Find is a bit of overkill. A dirhandle would be much quicker:

    use DirHandle;

my $dh = new DirHandle('/var/log/accounts/');
while (my $file = $dh->read()) {
    # do stuff
    ...
}

    [download]
    That should clear up your taint problems.

    --
    perl: code of the samurai

[reply]
[d/l]
Re: Getting To Grips With Taint - And Picking Up Files
by helgi (Hermit) on Sep 30, 2002 at 16:38 UTC
    I would rewrite this. Here's one way:

    #! /usr/bin/perl -wT 
use strict; 
use warnings; 

my $dir = 'var/log/accounts';


opendir DIR, $dir or die "Cannot opendir $dir:$!\n"; 
my @files = grep !/^\.{1,2}$/,readdir DIR;
closedir DIR;

for (@files) 
{
    my $file = "$dir/$_";    
    open IN,$file or die "Cannot open $file:$!\n";
    while (<IN>)
    {
        next if not /,/;
        my ($fullname,$username,$password,$domain,$service,$email,$upd
+ates,$ip_addr) = split(/,/, $_);
      next if not $ip_addr;
        print "$fullname\t$username\t$password\t$domain\t$service\t$em
+ail\t$updates\t$ip_addr\n";
    }
    close IN;
}

    [download]

    -- Regards,
    Helgi Briem
    helgi AT decode DOT is

[reply]
[d/l]
      Just one last question (if anybody is still reading this node). Taint complains about using unlink $file; What are the alternatives to that? Insecure dependency in unlink while running with -T switch at ./addvir +tuser.pl
[reply]
Re: Getting To Grips With Taint - And Picking Up Files
by fsn (Friar) on Oct 01, 2002 at 09:25 UTC
    I guess you could loose the 'ls' call with opendir and friends. Doesn't require any module.

    opendir D, "/var/log/accounts"; 
@file=readdir(D); 
closedir D;

    [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://201745]
Approved by charnos
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (2)
As of 2024-04-25 19:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found