Re: Re: Re: Error using -T...

powerhouse,
The problem is that you are requiring a file from tainted data. You will have to Untaint $pg first. I am not sure I would be doing it the same way you are if I was concerned about security.

Cheers - L~R

Comment on Re: Re: Re: Error using -T...

Replies are listed 'Best First'.
Re: Error using -T... by powerhouse (Friar) on May 31, 2003 at 20:01 UTC
What security gap do you see there? The file requires one written in the back end, and it does not reply upon anything passed in the browser, except a page, and it only uses that to see if it exists, and when it passes it to the subroutine to get the title and content, I do security checks and use placeholders. I don't really know what else to guard for. What are you thinking? thx, Richard	[reply]
Re: Re: Error using -T... by Limbic~Region (Chancellor) on May 31, 2003 at 20:05 UTC
powerhouse, The point to using Taint checking is to never allow your script to let data it obtains externally from escaping the program (as I pointed out in my first post). You are requiring a variable - that variable was obtained external to your program - this means that you will have to Untaint it before you use it. You really should look at perldoc perlsec as Enlil suggested. Cheers - L~R	[reply]