Actually there is nothing wrong with the behaviour you would get with the patch and your test case (removing the -T to simulate the effect of the patch as crlf will match ^[\w:]+$
[root@devel3 root]# TAINTED=crlf;export TAINTED [root@devel3 root]# perl5.8.3 -e 'print $ENV{TAINTED},$/;' crlf [root@devel3 root]# perl5.8.3 -e 'use PerlIO $ENV{TAINTED};' Can't locate PerlIO/crlf.pm in @INC (@INC contains: /usr/local/lib/per +l5/5.8.3/i686-linux-thread-multi /usr/local/lib/perl5/5.8.3 /usr/loca +l/lib/perl5/site_perl/5.8.3/i686-linux-thread-multi /usr/local/lib/pe +rl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at (eval 1) lin +e 3. [root@devel3 root]#
All that patching it to untaint \w: chars does is allow you to call an artitrary PerlIO::Widget::Whotnot. That module still has to exist or it will just explode.
You could make a good argument for a patch like:
corak "No way hosay...." unless $layer =~ m/^([\w:]+)$/; $layer = $1; eval "....
cheers
tachyon
In reply to Re: no PerlIO $ENV{TAINTED};
by tachyon
in thread Perl 5.8.0 PerlIO insecure dependency
by bplatz
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |