Ah k, in this case, the content of $shellstring is tainted. This means that $shellstring obtains its value from a source outside of your script. If you are ____absolutely___ sure that this string contains what you think it does, you can do ($shellstring) = $shellstring =~ m#^(.*)$#; before sending it through the backticks. This will untaint the value. Please note that under the rarest conditions should data simply be untainted as such. This just defeats the purpose of taint, and it's rare that such a method should be used. If you cannot trust that $shellstring contains undamaging data, then you need to come up with a regex to ensure that the string is safe.

I am telling myself that the string cannot be trusted since it appears to be coming from an outside source. Mind posting the code where $shellstring is generated?

If the above content is missing any vital points or you feel that any of the information is misleading, incorrect or irrelevant, please feel free to downvote the post. At the same time, please reply to this node or /msg me to inform me as to what is wrong with the post, so that I may update the node to the best of my ability.

No problem, here's the code generating $shellstring:

$shellstring = '-v -in src_alignment.fasta ';
foreach my $key (keys(%{$param})) {
   CASE: {
      if ($key eq 'groups')      { $shellstring .= '-groups "'.$param-
+>{'groups'}.'" ';   last CASE; }
      if ($key eq 'ngra')        { $shellstring .= '-ngra ';          
+                    last CASE; }
      if ($key eq 'gh')          { $shellstring .= '-gh '.$param->{'gh
+'}.' ';             last CASE; }
      if ($key eq 'sa')          { 
         unless ($param->{'ca'}) { $shellstring .= '-sa '; } # '-ca' o
+verrides '-sa' 
         last CASE;
      }
      if ($key eq 'ca')          { $shellstring .= '-ca ';            
+                    last CASE; }
      if ($key eq 'cg')          { $shellstring .= '-cg ';            
+                    last CASE; }
   }
}
[download]

'src_alignment.fasta' is a file from upload or FORM data from a user, which will be mangled by the external script. '$param->{'groups'}' and '$param->{'gh'}' is tested in another subroutine for validity:

if ($key eq 'groups') {
   if ($param->{$key} =~ m/[^0-9\,\-\|]/) { # check for illegal charac
+ters in group-definition
      print "\n>>> Illegal characters in groups-definition '".$param->
+{$key}."'! Only 0-9 and , and - and | are allowed!\n";
      $error = 1;
   }
   last CASE;
}
if ($key eq 'gh') {
   if ($param->{$key} =~ m/[^0-9]/) {
      print "\n>>> Illegal characters in graph-height '".$param->{$key
+}."'! Only 0-9 are allowed!\n";
      $error = 1;
   }
   last CASE;
}
[download]

If '$error' is found to be 1, the CGI-script exits and prints error messages. As I can see now from the anwers I got here my variables ('groups' and 'gh' especially) are not untainted "enough" or at all...just checking for validity is not enough here as far as I can see.

Thanks a lot for your help!

I assume that the contents of $shellsring come from outside the program. Have you untainted it?

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg