Re: Should non-filename glob() results still be tainted?

>The problem is that a crafty user can still subvert your code by creating files that match, while you expected Cartesian Products to deliver. Taint mode prefers to err on caution, so you would need to either disable taint mode or untaint your glob results.

Comment on Re: Should non-filename glob() results still be tainted?

Replies are listed 'Best First'.
Re^2: Should non-filename glob() results still be tainted? by kcott (Archbishop) on Jan 10, 2021 at 12:10 UTC
G'day Corion, "... subvert your code by creating files that match ..." Is the documentation wrong? It says "... no filenames are matched ..." (in the scenario that I presented). Perhaps some undocumented mechanism is in play of which I'm unaware. Could you expand on your answer? — Ken	[reply]
Re^3: Should non-filename glob() results still be tainted? by Corion (Patriarch) on Jan 10, 2021 at 12:44 UTC
Hmm - no, it seems you are correct. I didn't know that (and hadn't read the documentation)!	[reply]