[b]Untaint a File Path variable[/b] 1

[fox12]

Hi, Gurus,

not familiar with Taint. I have a shell command call like below:

my $exeCommand = "$parentPath/mybin/createPDF $sourceFile $workingDirectory/$targetFile";
my status = '$exeCommand';

The script runs on a Linux box.

$parentPath is an absolute path to the sub directory mybin/createPDF.

$sourceFile is the source file containing an absolute path.

$workingDirectory is the target directory the $targetFile will be created in.

$targetFile is the file to be created.

how should I untaint this command?

by the way, using a relative path is not an option in our environment. The path / file must use absolute for the command to find it properly.

Thanks a ton.

 

[KevinADC]

if the file path is defined by your script you don't need to untaint it. If the file path is defined by an external process or user input then you should untaint it. The basic concept is (from Perl Cookbook):

$file = $ARGV[0];                                   # $file tainted
unless ($file =~ m#^([\w.-]+)$#) {                  # $1 is untainted
    die "filename '$file' has invalid characters.\n";
}
$file = $1;

where $ARGV[0] would be your file/file path. And the regexp pattern is whatever you decide is adequate to insure the file/path does not have any dangerous or unwanted data in it. In the above it checks that the file only contains \w (a-zA-Z0-9_) or dots or dashes. But that does not mean the file or path is safe to use, it is a very basic check. You may want to check for example that filepaths do not start with ./ or ../.

------------------------------------------
- Kevin, perl coder unexceptional!