From perlsec: Once taint mode is on, it's on for
the remainder of your script.
So, alas. Perlsec also describes how to "launder" tainted data:
Here's a test to make sure that the data contains nothing
but "word" characters (alphabetics, numerics, and under
scores), a hyphen, an at sign, or a dot.
if ($data =~ /^([-\@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die "Bad data in $data"; # log this somewhere
}
This is fairly secure because "/\w+/" doesn't normally
match shell metacharacters, nor are dot, dash, or at going
to mean something special to the shell. Use of "/.+/"
would have been insecure in theory because it lets every
thing through, but Perl doesn't check for that. The les
son is that when untainting, you must be exceedingly care
ful with your patterns. Laundering data using regular
expression is the only mechanism for untainting dirty
data, unless you use the strategy detailed below to fork a
child of lesser privilege.
