in reply to Common untainting methods?

When Perl gurus are asked "how do I untaint stuff", they generally answer with "it depends".
Well, it doesn't "depend". There is only one (correct) way to untaint data, and that is by matching it. 
my $tainted = $ENV{PATH};
my $untainted = $1 if $tainted =~ /^(.*)$/;

[download]
What you allow to match is the part that "depends" (it's called data validation).

In your case, it doesn't look like you need to validate data at all (you may need to escape it if you're gonna display it via html, but you should allow the user to enter everything).

PS - on a sidenote, you can untain values like 

my $tainted = $ENV{PATH};
my($untainted)= ( keys %{ { $ENV{PATH} => undef }} );

[download]
but you cannot rely on that behaviour.

Replies are listed 'Best First'.
Re: Re: Common untainting methods?
by sgifford (Prior) on Nov 26, 2003 at 06:39 UTC
    That's the correct mechanism for untainting data, but if you actually want to get any of the security benefits of taint checking, you'd need to do better than that.
[reply]
      Right, but in this case, he doesn't need to untaint data at all (escape ne untaint).
[reply]

In Section Seekers of Perl Wisdom