in reply to FindBin and Tainted

G'day mikkoi,

You'll find a lot of information about taint mode in perlsec. In particular, for your problem, look at the "Laundering and Detecting Tainted Data" section. Here's a version of the regex solution, shown in that section, for your specific problem: 

$ cat ../lib/MyLib.pm
package MyLib;

our $VERSION = '1.23';

1;

$ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib "$RealBin/../li
+b"; use MyLib; print $MyLib::VERSION;'
Insecure dependency in require while running with -T switch at -e line
+ 1.
BEGIN failed--compilation aborted at -e line 1.

$ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/..
+/lib" =~ /^([\$\w\/.]+)$/ && $1]}; use MyLib; print $MyLib::VERSION;'
1.23

[download]

Update (minor code improvement): Just after posting, I realised you don't actually need the ' && $1' part: 

$ perl -T -e 'use FindBin 1.51 qw( $RealBin ); use lib @{["$RealBin/..
+/lib" =~ /^([\$\w\/.]+)$/]}; use MyLib; print $MyLib::VERSION;'
1.23

[download]

— Ken

Replies are listed 'Best First'.
Re^2: FindBin and Tainted
by mikkoi (Beadle) on Aug 14, 2020 at 22:44 UTC

    The problem is that FindBin does its magic inside a BEGIN segment. Otherwise the variable wouldn't be useable in command lib which also operates within BEGIN segment.

[reply]
[d/l]

In Section Seekers of Perl Wisdom