SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ffcccc
langperl
use File::PathConvert qw(realpath $resolved);

sub work_with_image {
  my ($image_file) = @_; # untrusted
  $image_file = realpath("/img/$image_file") || croak "Resolution stopped at $resolved";
  if ($image_file !~ m|/img/|) {
    croak "Image file not in /img";
  }
  open( my $image, "<", $image_file) or croak "Can't open $image_file";
  # ...
}

...

Code Block
bgColor#ccccff
langperl
use Cwd 'abs_path';

sub work_with_image {
  my ($image_file) = @_; # untrusted
  $image_file = abs_path("/img/$image_file");
  $filename = abs_path( $filename);
  if ($image_file !~ m|/img/|) {
    croak "Image file not in /img";
  }
  open( my $image, "<", $image_file) or croak "Can't open $image_file";
  # ...
}

...

Tool

Diagnostic

Notes
Taint mode

Insecure dependency in .*open

Detects only files open for writing.
Does not detect files open only for reading.

Related Guidelines

SEI CERT C

...

Coding Standard

...

FIO02-C. Canonicalize path names originating from

...

tainted sources
SEI CERT C++

...

Coding Standard

...

VOID FIO02-CPP. Canonicalize path names originating from untrusted sources

...

CERT Oracle Secure Coding Standard for Java

...

MET02-J. Do not use deprecated or obsolete classes or methods

Bibliography

.
[CPAN]Slaymaker, Barrie, File::PathConvert; Müller, Steffen, File::Spec
[Howard 2002]Chapter 11, "Canonical Representation Issues"
[VU#764027]zml.cgi does not adequately validate user input thereby allowing directory traversal
[VU#806091]Mike Spice's My Calendar does not adequately validate user input
[Wall 2011]Cwd

 

...

Image Modified Image Modified Image Modified