The following script results in an 'insecure dependency in open...'
error message

#!/usr/local/bin/perl -wT

# untaint $ENV{PATH} for use with qmail
$ENV{PATH} = '/var/qmail/bin';
### tried replacing this with
### $ENV{PATH} = "/var/qmail/bin;/music/cgi-bin/online";
### but still no luck

<snip>
        if(!open(FILE, ">online/$username"))            ##### offending
line
        {
                &q_head;
                print "Error: Unable to open online file.<P>";
                &q_exit;
        }
<snip>

##############################

online/ is a folder within the script's folder.

The perl cookbook gives the tainted open() example using $ARGV[0] saying
this tainted because it comes from outside the script.   It also
mentions that I can use open() safely if I only open a file for reading
- I have to open it for writing.  $username is also picked up from
within the script by reading the value from a database.

Do you know if the database interface you are claims that it returns
untainted data?  DBI, for example, returns untaineded data by default.

I don't know about the database (DB_File in Berkeley Environment) - I haven't
seen anything related to taintedness or not in its documentation.  It may be
that I'm able to use it as I specify its name within the perl script.  I
notice that I have to untaint, when using open() and readdir(), only the
filenames and not the data contained within.

For example, the following snippet:

<snip>
opendir(ONLINE, "online") or die "Error: cannot open ONLINE
directory</BODY></HTML>";
while ($file=readdir(ONLINE))
{
# filename ($file) is username online, content is unix time of last loading
online.cgi for that user
# refresh of online.cgi is 20 seconds, remove any files older than 30 seconds

# not interested in either . or ..
        next if(($file eq '.') || ($file eq '..'));
# untaint $file
        $file = &untaint($file);
        $filename = $dir . $file;
        open(FILE, "$filename") or die "Error: Cannot open
$filename</BODY></HTML>";
        flock(FILE, LOCK_SH);
        while(<FILE>)
        {
                chomp;
#               $_ = &untaint($_);
                $time = $_;
# we just want the first line here - none of the web profile stuff
                last;
        }
        close(FILE);
        $time += 30;

sub untaint
{
        if($_[0] =~ /^([\s\w]+)$/)
        {
                return $1;
        }
        else    # $_[0] is tainted
        {
                print "<BODY BGCOLOR=\"maroon\" TEXT=\"yellow\"
LINK=\"silver\" VLINK=\"silver\">";
                print "Error: Tainted data....";
                print "</BODY></HTML>";
                exit;
        }

Even though an answer was already provided, I'd like to continue this
thread, as the above example somewhat started me.

So, what is considered to be tainted -- and what is considered to be safe?

In the above, it seems that a file open is made with a relative path
name. Still, current directory has not been set (unless it was in the
<snip> part). Am I the only one to consider this as a hole in taint
checks?

$ man perlsec
or
$ perldoc perlsec

$ perl -wT -e '$ENV{PATH} = qw(/usr/bin); exec $0'  
Insecure dependency in exec while running with -T switch at -e line 1.

Yep. It is.