Insecure dependency in `` while running with -T switch

Plankton has asked for the wisdom of the Perl Monks concerning the following question:

Friends,
I am not sure how to deal with -T. Here's what I am doing ...

$ cat myscript.pl
#!/usr/bin/perl -wT
use strict;
my $word = defined($_=shift) ? $_ : die "usage: $0 <word>\n"; 
chomp($word);

sub spelled {
        my $word = shift;
        my $out=`spelled $word`;
        print "$out\n";
}

spelled ($word);
$ ./myscript.pl atomic bombs
Insecure dependency in `` while running with -T switch at ./myscript.p
+l line 8.
[download]

What do I need to do to keep from getting the Taint error?

Plankton: 1% Evil, 99% Hot Gas.

Comment on Insecure dependency in `` while running with -T switch Download Code

Replies are listed 'Best First'.
Re: Insecure dependency in `` while running with -T switch by Ovid (Cardinal) on Dec 18, 2003 at 17:13 UTC
The problem is in the backticks. You'll need to untaint your word with regular expression match. One way to do it: `my $_word = defined($_=shift) ? $_ : die "usage: $0 <word>\n"; chomp($_word); my ($word) = $_word =~ /([[:alnum:]]+)/;` [download] Perl thinks that `$word` might be dangerous, so it's trying to prevent you from performing what it thinks is an unsafe operation. See perlsec for details. Cheers, Ovid New address of my CGI Course.	[reply] [d/l]
Re^2: Insecure dependency in `` while running with -T switch by osirisgothra (Initiate) on Dec 09, 2014 at 15:28 UTC
make sure you dont (i repeat dont) just use regexs as a transparent layer and compromise the purpose of taint, make sure you actually are checking the data properly for potential bad values, so avoid using /.*/ just to "shut up" the mechanism.	[reply]
•Re: Insecure dependency in `` while running with -T switch by merlyn (Sage) on Dec 18, 2003 at 17:12 UTC
Either add `-Mdiagnostics` to your program, or grep through the `perldiag` manpage, and you'll find: `Insecure dependency in %s (F) You tried to do something that the tainting mecha- nism didn't like. The tainting mechanism is turned on when you're running setuid or setgid, or when you specify -T to turn it on explicitly. The tainting mechanism labels all data that's derived directly or indirectly from the user, who is considered to be unworthy of your trust. If any such data is used in a "dangerous" operation, you get this error. See perlsec for more information.` [download] And looking at `perlsec`, we see all sorts of things that trigger such an error. In particular, you'll probably need to set `$ENV{PATH}` to an untainted value. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re: Insecure dependency in `` while running with -T switch by Zaxo (Archbishop) on Dec 18, 2003 at 17:11 UTC
The outer $word is shifted in from the command line, so is tainted. Detaint it by checking and assigning. `($word) = $word =~ /^(\w+)$/ or die 'Bad User!';` for instance. Update: Overlooked the backticks, you should also use absolute `/path/to/spelled` or set $ENV{PATH} as merlyn and Ovid suggest. After Compline, Zaxo	[reply] [d/l]