Re: Re: Back to acceptable untainted characters

In fact, if you use a regex to parse fields out of something, you should mark the extracted fields as tainted unless your regex was carefully constructed to make sure they're safe.

How does one mark a variable as tainted? I did not realize the program had any way to control it directly.

Comment on Re: Re: Back to acceptable untainted characters

Replies are listed 'Best First'.
Re: Back to acceptable untainted characters by jonadab (Parson) on Sep 09, 2003 at 02:40 UTC
How does one mark a variable as tainted? `use Taint (); Taint::taint($untrustedvalue);` [download] For example, if you use a regex to parse the key-value fields out of a query string and reverse the CGI encoding, you should mark the resulting data as tainted. (The "use CGI or die" advocates will tell you that you shouldn't be writing your own function for that anyway, but hat's another debate for another thread.) `$;=sub{$/};@;=map{my($a,$b)=($_,$;);$;=sub{$a.$b->()}} split//,".rekcah lreP rehtona tsuJ";$\=$ ;->();print$/` [download]	[reply] [d/l] [select]
Re: Re: Back to acceptable untainted characters by bunnyman (Hermit) on Sep 09, 2003 at 15:40 UTC
That is not a standard module. It is not pure-Perl code either. (It uses XS to reach into the interpreter guts and set the tainted bit.)	[reply]