in reply to Taint error with Tk

Ok, I'll bite: $width is tainted. That means it came from an external source - a file, a socket, an environment variable, something. If you put this code above that call I bet it will work again: 

  $width  = 100;
  $height = 100;

[download]

Now, as for why $width is tainted, I can't tell. You didn't post the code that sets $width so I can only guess.

-sam

Replies are listed 'Best First'.
Re: Re: Another day, another Tk question
by Popcorn Dave (Abbot) on Apr 29, 2002 at 22:13 UTC
    Yes it does work if I hard code the variables.

    The code to get $height and $width is: 

    sub getfilesize{
    my @spec=();
    open FH, $file;
    for (0..9){$spec[$_] = getc(FH);}
    close FH;
    my $tmp1 = unpack("H2",$spec[7]).unpack("H2",$spec[6]);
    my $tmp2 = unpack("H2",$spec[9]).unpack("H2",$spec[8]);
    $width = unpack('s',pack('s',hex($tmp2)));
    $height = unpack('s',pack('s',hex($tmp1)));
    }

    [download]

    I know it's a bit screwy, but I just need to get the filesize out of a gif, no other format, so I thought writing the quick bit would be easier than plugging in a whole module.

    Given that, can you tell me why it's tainted? I'm lost on that one.

    Thanks!

[reply]
[d/l]
      Given that, can you tell me why it's tainted?

      Short answer: read perlsec.

      Long answer: @spec comes from file so it gets tainted. $tmp1 and $tmp2 are derived from @spec so they become tainted too. And $width with $height become tainted because they are derived from $tmp1 and $tmp2.

      If you want to unaint $width and $height your code should look like: 

      sub getfilesize{
    my @spec=();
    open FH, $file;
    for (0..9){$spec[$_] = getc(FH);}
    close FH;
    my $tmp1 = unpack("H2",$spec[7]).unpack("H2",$spec[6]);
    my $tmp2 = unpack("H2",$spec[9]).unpack("H2",$spec[8]);
    $width = unpack('s',pack('s',hex($tmp2)));
    ($width) = $width =~ /(\d+)/;
    $height = unpack('s',pack('s',hex($tmp1)));
    ($height) = $height =~ /(\d+)/;
    }

      [download]

      BTW if you are looking for simplicity just use Image::Size: 

      use Image::Size;
my ($width, $height) = imgsize($file);
($width) = $width =~ /(\d+)/;
($height) = $height =~ /(\d+)/;

      [download]

      P.S. It is unrelated to your question but you are using bad coding practices in your code. You are using global variables without need: to pass parameters to sub ($file) and to return data from the sub ($width and $height). It is better to rewrite you sub this way: 

      sub getfilesize{
    my $file = shift;
    my @spec=();
    open FH, $file;
    for (0..9){$spec[$_] = getc(FH);}

    close FH;
    my $tmp1 = unpack("H2",$spec[7]).unpack("H2",$spec[6]);
    my $tmp2 = unpack("H2",$spec[9]).unpack("H2",$spec[8]);
    my $width = unpack('s',pack('s',hex($tmp2)));
    ($width) = $width =~ /(\d+)/;
    my $height = unpack('s',pack('s',hex($tmp1)));
    ($height) = $height =~ /(\d+)/;
    return ($width, $height);
    }

# example of sub call
my ($width, $height) = getfilesize('/path/to/file.gif');

      [download]

      --
      Ilya Martynov (http://martynov.org/)

[reply]
[d/l]
[select]
      You need to read perlsec. After that it should be obvious why $width and $height are tainted. The short version: data coming from external sources is always tainted and will cause errors when running under -T.

      -sam

[reply]

In Section Seekers of Perl Wisdom