Re^9: How to disable taint checking by Perl?

That's a good start, Hippo, thank you! Now, how much would it take to add the sub-components alluded to in the documentation?

For example:

On versions of Perl before 5.26, activating taint mode will also remove the current directory (".") from the default value of @INC. Since version 5.26, the current directory isn't included in @INC by default.

I'd like to know what the differences in taint implementation are from one Perl version to another. I never had trouble with the @INC nor with the use of backticks to execute an external command until I unsuspectingly used a version of Perl advanced beyond this line. From what I see in the documentation, this is not the only aspect which has seen changes in taint implementation. For example:

To test whether a variable contains tainted data, and whose use would thus trigger an "Insecure dependency" message, you can use the tainted() function of the Scalar::Util module, available in your nearby CPAN mirror, and included in Perl starting from the release 5.8.0. Or you may be able to use the following is_tainted() function.

I note that your table did not go back as far as to 5.8.0--but things were already starting to move at that point, if not before.

To be clear, my understanding is that the taint mode is no longer so much of an all-or-nothing feature: it comes in multiple shades these days. It may have been true in the past that it was either enabled or disabled...this seems to be no longer the case, and it is precisely this condition for which a table would come in handy, as there is much more information than merely "Yes" or "No" which is relevant.

Blessings,

~Polyglot~

Comment on Re^9: How to disable taint checking by Perl?

Replies are listed 'Best First'.
Re^10: How to disable taint checking by Perl? by hippo (Archbishop) on Oct 25, 2023 at 17:13 UTC
my understanding is that the taint mode is no longer so much of an all-or-nothing feature: it comes in multiple shades these days. I'm afraid that your understanding is incorrect. Taint mode is either enabled or disabled, there is no halfway house. Therefore there is no other information than "Yes" or "No" to be given. 🦛	[reply]
Re^11: How to disable taint checking by Perl? by Polyglot (Chaplain) on Oct 26, 2023 at 01:44 UTC
Try not enabling taint in some post-5.26 version of Perl and then discovering that your path in that backticks command was tainted, preventing your script from running. That's the problem. Taint was automatically enabled--i.e. forcibly engaged. More like taint is either enabled or it is enabled. But then, that's not accurate either, because it was only enabled on @INC. It seems then that it was either enabled or it was partially enabled...unless you manage to compile your own Perl where you forcibly disengage taint. Blessings, ~Polyglot~	[reply]
Re^12: How to disable taint checking by Perl? by Corion (Patriarch) on Oct 26, 2023 at 07:42 UTC
This sounds very weird. I note that `.` was reomoved from `@INC` in Perl 5.26, but this has nothing to do with taint mode. It would describe the symptoms you describe without needing to involve mythical ideas about how taint mode could work or how taint mode could always be enabled though. Maybe simply putting `.` into `@INC` already solves your problem? Setting `PERL_USE_UNSAFE_INC` could be a band-aid for that issue. Also consider the code mentioned in the perldelta: `BEGIN { my $dir = "/some/trusted/directory"; chdir $dir or die "Can't chdir to $dir: $!\n"; # safe now push @INC, '.'; } use "Foo::Bar"; # may load /some/trusted/directory/Foo/Bar.pm do "config.pl"; # may load /some/trusted/directory/config.pl` [download] See perl5260delta.pod	[reply] [d/l] [select]
Re^13: How to disable taint checking by Perl? by Polyglot (Chaplain) on Oct 26, 2023 at 08:06 UTC
Re^12: How to disable taint checking by Perl? by hippo (Archbishop) on Oct 26, 2023 at 09:02 UTC
Try not enabling taint in some post-5.26 version of Perl and then discovering that your path in that backticks command was tainted, preventing your script from running. Sure, let's try that: `$ perl -E 'say $^V; say qq/Taint mode: ${^TAINT}/; say qx/date/' v5.34.0 Taint mode: 0 Thu 26 Oct 09:57:36 BST 2023 $` [download] Taint mode is entirely unsurprisingly not enabled and the code inside `qx//` runs just fine. 🦛	[reply] [d/l] [select]
Re^12: How to disable taint checking by Perl? by pryrt (Abbot) on Oct 26, 2023 at 14:46 UTC
Like hippo showed, my experience disagrees completely (). Here's an example of taint vs non-taint with Strawberry 5.32, where I am running 'notepad++.exe', which is in my path. `C:> perl -TE "say $^V; say qq/Taint mode: ${^TAINT}/; system(qq/notepa +d++.exe --help/)" v5.32.1 Taint mode: 1 Insecure $ENV{PATH} while running with -T switch at -e line 1. C:> perl -E "say $^V; say qq/Taint mode: ${^TAINT}/; system(qq/notepad +++.exe --help/)" v5.32.1 Taint mode: 0` [download] The first time, I force taint mode, to show the message when taint is active. The second time, I run it again without forcing taint mode, and it shows that it runs without giving me the insecure-path message. This plainly shows that it's not automatically forcing taint mode just because the version of perl is above 5.26. In the other topic you mentioned, you said you were in a 'use CGI' environment. Depending on how your webserver is set up, your real and effective user and/or group ids may be different, which would trigger automatic taint mode, as corion said much earlier in this conversation. My webserver does not, as I just checked by running: `print "Real Group: $(\n"; print "Effective Group: $)\n"; print "Real User: $<\n"; print "Effective User: $>\n"; print "Taint? ${^TAINT}\n";` [download] inside a script. If I run normally, the last line prints 'Taint? 0' , whereas if I add -T to the shebang in my CGI script, that last line prints 'Taint? 1' , so I know that it can properly identify taint mode. So you should use the '${^TAINT}' to verify that you really are in taint mode. And use the real/effective group and user id variables to confirm what those are set at, to see if one of those is your culprit. Also, you have not shown us a Short, Self-Contained, Correct Example which replicates your tainted results when you don't think you should be in taint, showing that code without taint errors in pre-5.26 will show a taint error in post-5.26, without you intentionally enabling taint mode. Can you share such an SSCCE? : Well, almost like hippo. I could not get taint mode to complain when I force taint mode and used 'qx' or backticks, like `C:> perl -TE "use warnings; use strict; say $^V; say qq/Taint mode: ${ +^TAINT}/; qx/notepad++.exe --help/" v5.32.1 Taint mode: 1` [download] ... which is why I switched to 'system' instead. So it may be that hippo's qx experiment wasn't sufficient, though I don't expect the non-forced-taint-mode results to change, even if hippo changes over to 'system' instead of 'qx' . edit: clarified/reworded footnote	[reply] [d/l] [select]
Re^13: How to disable taint checking by Perl? by hippo (Archbishop) on Oct 26, 2023 at 16:10 UTC
Re^14: How to disable taint checking by Perl? by pryrt (Abbot) on Oct 26, 2023 at 16:53 UTC
Re^10: How to disable taint checking by Perl? by Corion (Patriarch) on Oct 25, 2023 at 16:17 UTC
You can read all the changes by reading all the perldelta files.	[reply]