Re: Unexpected de-tainting with hash keys

Uh... Eek!?

For a shorter example:


$ perl -lTe 'eval(+shift)' -- 'print "hi"'
Insecure dependency in eval while running with -T switch at -e line 1.

$ perl -lTe '$h{+shift} = 1; eval $_ for keys %h' -- 'print "uh oh"'
uh oh
[download]

and that's 5.8.0.

-sauoq
"My two cents aren't worth a dime.";

Comment on Re: Unexpected de-tainting with hash keys Download Code

Replies are listed 'Best First'.
Re: Re: Unexpected de-tainting with hash keys by bobn (Chaplain) on Jul 11, 2003 at 02:11 UTC
++ to you: not only is it shorter, it proves the significance of this bug as it shows execution of tainted data. Apparently the stringification of hash keys is untainting this while providing no safety. Eek indeed. --Bob Niederman, http://bob-n.com	[reply]
Re: Re: Re: Unexpected de-tainting with hash keys by TGI (Parson) on Jul 11, 2003 at 02:28 UTC
You nailed it. The hash key is a string and not a scalar. See my post below. TGI says moo	[reply]