Re: lib/File/Find/taint.t
by Nick Ing-Simmons other posts by this author
Jul 1 2001 4:18AM messages near this date
Re: lib/File/Find/taint.t
|
Re: New results with numconvert.t (UTS)
Jarkko Hietaniemi <jhi@[...].fi> writes:
> > # Remove insecure directories from PATH
> > my @path;
> > my $sep = $Config{path_sep};
> > foreach my $dir (split(/$sep/,$ENV{'PATH'}))
> > {
> > push(@path,$dir) unless (stat $dir)[2] & 0002;
> > }
> > $ENV{'PATH'} = join($sep,@path);
> >
> > My version (IIRC) used -w $dir, which was overkill (=wrong)
> > I assume group write is also considered insecure?
>
> Okay, would the real expert please stand up? :-)
>
> We have seen three different solutions to this so far:
> (1) none
> (2) with -w
> (3) with stat & 002
>
> None of which seems to work.
What does the C code that does the taint check do ?
The stat approach is correct, but needs to use the same rules for
"insecure" as the C code.
--
Nick Ing-Simmons
http://www.ni-s.u-net.com/
Thread:
Nick Ing-Simmons
Jarkko Hietaniemi
Nick Ing-Simmons
|
