Now I open config1 and read another filename from it - config2. config2 I trust, because if someone has been able to edit config1 they've already breached my security.

So in other words, if config1 gets screwed up, whether by malicious intent, or by honest ignorance, or by a simple typo, whatever consequence ensues is okay in your view?

What's the cost of treating it the same as the CGI parameter that gives you "config1"? (You didn't say what you're doing to untaint that, but I guess we shouldn't doubt that you're doing it properly...)

Maybe I'm wrong about this, but I would have thought that if a CGI parameter were untainted properly, such that you could derive from it a file name on the server that could be opened and read, then the data in that file should already be taint-safe (i.e. not need to be untainted).

But if I am wrong about that, and data being read from a named file on the server is treated as tainted, I really don't see the point of handling it any differently than other tainted data. What are you saving by doing this?

In reply to Re: untainting that which needs no untainting by graff
in thread untainting that which needs no untainting by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.