| Ani-_ | $ENV{PATH} (or %ENV in general) comes from the outside and is therefor tainted. |
| gnube | Here it is: /home/jeremiah/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games pretty straightforward it would seem to me. Is it because I am passing a file from /tmp? |
| Ani-_ | gnube: perhaps I should explain myself better... |
| ailton | I have a $var1 set to "hello" and a $var2 set to pal, I wanna do a little regexp check on those vars and se if they match the regexp. I think it should be done something like this: if ($var1 + $var2 == ^hello\spal$) { print.. <-- any ideas? |
| Ani-_ | gnube: if you do not set $ENV{PATH} in your script then it should not be trusted (= it is tainted). |
| xand | ailton: why check something you know? and you use . to join strings, not + |
| Ani-_ | gnube: something that tries to trust it (File::Copy in this case) will give you that Insecure dependecny error. |
| gnube | Ani-_ Ah! I see. So I should explicitly declare it before hand? |
| xand | and to match regexes it's =~ not == |
| Ani-_ | gnube: try: perl -Te 'system("ls");' # ==> it won't work. gnube: exactly. |
| ailton | xand: well it's not always set to that.. it was an example |
| gnube | Wow. Impressive security when you think about it. |
| ailton | xad: if ($var1 . $var2 == ^hello\spal$) { |
| xand | no |
| ailton | will it even work to use regexp like that? in an if statement? |
| xand | not like that |
| Ani-_ | *Everything* that is not set in your script is tainted. (that means, %ENV, input, ...) |
| gnube | Ani-_: So are there other vars I need to watch out for or just the . . . |
| xand | if($var1 . $var2 =~ /regex/){ |
| gnube | ahmad`, that was what I was going to ask Ani-_, Is it enough to just declare the hash like this - my %ENV? |
| Ani-_ | gnube: perldoc perlsec # look at 'Cleaning Up Your Path' |
| gnube | Ani-_, Ok, I have perlsec open now so I will read a little |
| Ani-_ | gnube: no. my %ENV will create a new lexical hash %ENV. It will leave intact the global %ENV. |
| Daveman | Hello gentlemen |
| xand | Hello cavemen |
| gnube | Ani-_, Oh okay. Found the PATH info in perlsec, thanks for the pointer. |
| Daveman | xand ^_^ |
| ailton | xand, vill it match hello dude or hellodude ? wil* |
| Ani-_ | Google-- |
| xand | try it and see |
| Daveman | :| |
| ailton | will $var1 . $var2 be hellopal or hello pal ? I want a space beween them |
| xand | "fish" . "cake" = "fishcake" |
| ailton | between |
| Ani-_ | $var1 . $var2 will not add a spae in between. |