Yet another taint mode reminder

Schwern just posted “How (not) To Load a Module…” that goes into great depth about the security risk in loading modules.

The (not) funny thing is that none of what he’s saying is a risk would be one when running in taint mode.

Consider “/tmp/foo.pm” with this:

package foo;
print "Loaded foo\n";
1;

Then consider this example of how Module::Load does something “unexpected”:

$ perl -MModule::Load=load -wE 'my $file=shift; load $file' ::tmp::foo
Loaded foo

(The “threat” is that given an arbitrary module name to load, it will gladly load outside @INC.)

What if that was run under taint mode, instead?

$ perl -MModule::Load=load -wTE 'my $file=shift; load $file' ::tmp::foo
Insecure dependency in require while running with -T switch at /home/david/perl5/perlbrew/perls/perl-5.14.0/lib/5.14.0/Module/Load.pm line 27.
Insecure dependency in require while running with -T switch at /home/david/perl5/perlbrew/perls/perl-5.14.0/lib/5.14.0/Module/Load.pm line 27.

I’m not sure why that message is printed twice, but that was still a fatal error and foo.pm didn’t load.

The moral of the story: if you incorporate arbitrary user input into your execution path, use taint mode and validate the input to make sure it’s something safe.