Re: Taint checking

This is a known appropriate restriction of File::Find for 5.5.3, and unlikely to be changed no matter how many times you report it, because it needs to be tainted since the value is untrusted.

The new versions of File::Find include a user-controllable "I trust this" parameter for managed untainting, but you use these at your own risk:

    `untaint'
       If find is used in taint-mode (-T command line switch or if EUI
+D !=
       UID or if EGID != GID) then internally directory names have to 
+be
       untainted before they can be cd'ed to. Therefore they are check
+ed
       against a regular expression *untaint_pattern*. Note, that all 
+names
       passed to the user's *wanted()* function are still tainted.

    `untaint_pattern'
       See above. This should be set using the `qr' quoting operator. 
+The
       default is set to `qr|^([-+@\w./]+)$|'. Note that the paranthes
+is
       which are vital.

    `untaint_skip'
       If set, directories (subtrees) which fail the *untaint_pattern*
+ are
       skipped. The default is to 'die' in such a case.
[download]

-- Randal L. Schwartz, Perl hacker

Comment on Re: Taint checking Download Code

Replies are listed 'Best First'.

RE: Re: Taint checking
by ncw (Friar) on Sep 25, 2000 at 21:48 UTC

It is a bit disappointing that this untaint stuff isn't mentioned in the File::Find documentation since it is obviously a well known stubmling block.

Is there any way to upgrade File::File for perl 5.5.3 without upgrading to perl 5.6.0? I run 5.6.0 on my personal machine just to stay ahead, but I prefer 5.5.3 on the servers for its proven track record!

[reply]


Syntactic Confectionery Delight
	PerlMonks