Re^2: Proper and acceptable use of backticks in a modern Perl script

Yes, this would solve the problem. I find it frustrating, however, that Perl's taint would not figure out that the path in the backticks was not a relative path and would be entirely unaffected by the $ENV{PATH} variable. One could set that to anything at all!

Blessings,

~Polyglot~

Comment on Re^2: Proper and acceptable use of backticks in a modern Perl script Download Code

Replies are listed 'Best First'.
Re^3: Proper and acceptable use of backticks in a modern Perl script by hippo (Archbishop) on Sep 18, 2023 at 11:15 UTC
the path in the backticks was not a relative path and would be entirely unaffected by the $ENV{PATH} variable That's not the (whole) issue. The code you are executing within the backticks could do anything including spawning subshells which could execute code in the tainted PATH. Much more secure to specify the PATH either by hard-coding as here or with careful untainting. Just because your command statement at the top level doesn't utilise $PATH it doesn't mean that some part of it won't when running. 🦛	[reply]

Replies are listed 'Best First'.

Re^3: Proper and acceptable use of backticks in a modern Perl script
by hippo (Archbishop) on Sep 18, 2023 at 11:15 UTC

the path in the backticks was not a relative path and would be entirely unaffected by the $ENV{PATH} variable

That's not the (whole) issue. The code you are executing within the backticks could do anything including spawning subshells which could execute code in the tainted PATH. Much more secure to specify the PATH either by hard-coding as here or with careful untainting. Just because your command statement at the top level doesn't utilise $PATH it doesn't mean that some part of it won't when running.

🦛

[reply]