Re^13: How to disable taint checking by Perl?

Regarding the footnote, if I use -T then taint mode is on and the qx// correctly makes the script die:

$ perl -TE 'say $^V; say qq/Taint mode: ${^TAINT}/; say qx/date/'
v5.34.0
Taint mode: 1
Insecure $ENV{PATH} while running with -T switch at -e line 1.
$
[download]

Similarly the results using system are also as expected:

$ perl -E 'say $^V; say qq/Taint mode: ${^TAINT}/; system q/date/'
v5.34.0
Taint mode: 0
Thu 26 Oct 17:07:03 BST 2023
$ perl -TE 'say $^V; say qq/Taint mode: ${^TAINT}/; system q/date/'
v5.34.0
Taint mode: 1
Insecure $ENV{PATH} while running with -T switch at -e line 1.
$
[download]

In case it is unclear, I am running these on a non-MSWin32 system.

🦛

Comment on Re^13: How to disable taint checking by Perl? Select or Download Code

Replies are listed 'Best First'.
Re^14: How to disable taint checking by Perl? by pryrt (Abbot) on Oct 26, 2023 at 16:53 UTC
Interesting. Just in case it was something to do with version, and now that Strawberry has something newer than 5.32: I downloaded Strawberry 5.36, and tried again, comparing `qx` vs `system` for the same command. `C:> perl -TE "say $^V; say qq/Taint mode: ${^TAINT}/; say qx/date/;" v5.38.0 Taint mode: 1 Thu Oct 26 09:43:51 Pacific Daylight Time 2023 C:> perl -TE "say $^V; say qq/Taint mode: ${^TAINT}/; say system(qq/da +te/);" v5.38.0 Taint mode: 1 Insecure $ENV{PATH} while running with -T switch at -e line 1.` [download] So apparently the Strawberry build on MSWin32 doesn't do taint checking on `qx` but it does on system. I'm now curious whether syphilis or someone else who has their own build(s) of MSWin32 perl.exe could check on one or more of 5.32, 5.34, and 5.38, to see if there's something about Strawberry's build, or something about MSWin32 builds in general, which cause tainting to behave differently.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^14: How to disable taint checking by Perl?
by pryrt (Abbot) on Oct 26, 2023 at 16:53 UTC

Just in case it was something to do with version, and now that Strawberry has something newer than 5.32: I downloaded Strawberry 5.36, and tried again, comparing qx vs system for the same command.

C:> perl -TE "say $^V; say qq/Taint mode: ${^TAINT}/; say qx/date/;"
v5.38.0
Taint mode: 1
Thu Oct 26 09:43:51 Pacific Daylight Time 2023



C:> perl -TE "say $^V; say qq/Taint mode: ${^TAINT}/; say system(qq/da
+te/);"
v5.38.0
Taint mode: 1
Insecure $ENV{PATH} while running with -T switch at -e line 1.
[download]

So apparently the Strawberry build on MSWin32 doesn't do taint checking on qx but it does on system. I'm now curious whether syphilis or someone else who has their own build(s) of MSWin32 perl.exe could check on one or more of 5.32, 5.34, and 5.38, to see if there's something about Strawberry's build, or something about MSWin32 builds in general, which cause tainting to behave differently.

[reply]
[d/l]
[select]