rename an uploaded file with cgi-lib.pl

I make correctly the upload of a file using the cgi-lib.pl,
but I would like to obtain on the server the file with the
originary name.
I can do the renaming only using a constant string in this way:
 rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."gilo";

but doing it using a variable string causes an error:
rename $cgi_sfn{'upfile'}, $cgi_lib::writefiles."$cfn";

The error_log file says:
Insecure dependency in rename while running with -T switch at /home/gilo/cgi-bin/UpJust.cgi line 39.
access to /home/gilo/cgi-bin/UpJust.cgi failed
reason: malformed header from script

Do someone know how to avoid this kind of error?
giloAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pc012197Commented:
Hi there... we've met before, haven't we? :-)

The following is from the perl documentation ('man perlsec'):

When executing a setuid script, or when you have turned on taint checking explicitly using the -T flag, Perl takes special precautions to prevent you from falling into any obvious traps.  (In some ways, a Perl script is more secure than the corresponding C program.)  Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.

As I see it the only way to avoid the error in your script is to take out the -T option.

0
giloAuthor Commented:
Hi pc, how are you?
I would have continued our previous history but in the old page disappeared the form
to send other comments, so I had to send another question, but I'm happy to have
found you again because you already know my problem.

I just would like to know where have I to add this -T flag.
I call the cgi program from the browser, then in the program I call the Readparse
routine of cgi-lib.pl and the program make the uploading.

I can't imagine where I can insert this flag.

Be patient with me  :-)

Ciao  
0
giloAuthor Commented:
I'm still waiting for an answer
0
FordreamCommented:
Hello, pc!
 AS you the error occurs because '-T', the taint-check option is enabled. But you don't know that where is it inserted? Okay?
 I know that '-T' option automatically is inserted when security is needed like when script is setuided or ALSO CGI.
 While this option is enabled, 'Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes.'. You violated that.
 To go on, you should secure that. To see how to secure, I recommand you to see man page about 'perlsec', the perl security. if you can't find that. Reply me. then I'll post that.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.