return ! eval {join('',@_),kill 0;1;};
The really interesting thing here that I think nobody
commented on yet is that this works because taintedness
is only computed per-statement, not per-expression.
Perl has a flag inside it called tainted.
Whenever Perl starts a new statement, it clears the flag.
Whenever Perl accesses tainted information, it sets the flag.
Whenever Perl performs an 'unsafe' operation, it checks
the flag and throws an exception if the flag is set.
This means that if you access tainted information in a
statement, and then perform an unsafe operation in the same
statement, Perl will throw the exception even when the
tainted infotmation couldn't possibly affect the
outcome of the unsafe operation, as in your example.
(Why was it done this way? For efficiency and ease
of implementation.)
This oddity is used here to test possibly malicious
data in conjunction with an unsafe operation, but
in such a way that the data can't possibly affect the result of
the operation, so that it's safe.
Happy Bicycle Day!
|