SEI CERT Perl Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 13

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ffcccc
langperl
use File::PathConvert qw(realpath $resolved);

sub work_with_image {
  my ($image_file) = @_; # untrusted
  $image_file = realpath("/img/$image_file") || croak "Resolution stopped at $resolved";
  if ($image_file !~ m|/img/|) {
    croak "Image file not in /img";
  }
  open( my $image, "<", $image_file) or croak "Can't open $image_file";
  # ...
}

...

Code Block
bgColor#ccccff
langperl
use Cwd 'abs_path';

sub work_with_image {
  my ($image_file) = @_; # untrusted
  $image_file = abs_path("/img/$image_file");
  $filename = abs_path( $filename);if ($image_file !~ m|/img/|) {
    croak "Image file not in /img";
  }
  open( my $image, "<", $image_file) or croak "Can't open $image_file";
  # ...
}

...

Tool

Diagnostic

Notes
Taint mode

Insecure dependency in .*open

Detects only files open for writing.
Does not detect files open only for reading.

Related Guidelines

Secure untrusted
SEI CERT C Coding StandardFIO02-C. Canonicalize path names originating from tainted sources
SEI CERT C++ Secure Coding StandardVOID FIO02-CPP. Canonicalize path names originating from untrusted sources
CERT Oracle Secure Coding Standard for JavaMET02-J. Do not use deprecated or obsolete classes or methods

Bibliography

[CPAN]Slaymaker, Barrie, File::PathConvert; Müller, Steffen, File::Spec
[Howard 2002]Chapter 11, "Canonical Representation Issues"
[VU#764027]zml.cgi does not adequately validate user input thereby allowing directory traversal
[VU#806091]Mike Spice's My Calendar does not adequately validate user input
[Wall 2011]Cwd

 

...

Image Modified Image Modified Image Modified