untaint($name);
    untaint($siteName);
    open (FILE,">/$directory/tmpl/$name.tmpl");
        print FILE $content;
    close(FILE);

sub untaint {
    my $var = $_[0];
    unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_]
        die("Tainted");
    } 
    return $var;
}
[download]

You're not untainting the variable in-place, your call to the function should read as follows:

    $name = untaint($name);
    $siteName = untaint($siteName);
    open (FILE,">/$directory/tmpl/$name.tmpl");
        print FILE $content;
    close(FILE);

sub untaint {
    my $var = $_[0];
    unless ($var =~ m/^(\w+)$/) { #allow filename to be [a-zA-Z0-9_]
        die("Tainted");
    } 
    return $var;
}
[download]

I've asked a question about another topic here, but I think you can find the answers quite useful for your tainting doubts.

Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))")

Don't fool yourself.

Yeah sorry, I fixed the coding after posting, and forgot to update it here.

Still getting the error, even with the adjusted code.

"print() on closed filehandle FILE at file.cgi line 117."

Kind of weird, but tryin' to figure it out.


Stenyj

Nevermind, I tried exactly your code (rather then my variation of it) and it seems to work (at least the untain part of it):



    my ($untained_file) = $name =~ /^(\w+)$/ or die "bad filename: $na
+me";
    open (FILE,">c:/apache/htdocs/directory/tmpl/$untained_file.tmpl")
+;
        print FILE $content;
    close(FILE);
[download]


but oddly, now I'm getting:
print() on closed filehandle FILE at filename.cgi line 117. on the:


print FILE $content;
[download]

line.

Will mess around with it, and see if I can figure out what's up.

Thx again.