Up to Perl 5.8.6, it was perfectly legal to open a pipe like this and not worry about $ENV{'PATH'} (notice the -T flag): 
#!/usr/bin/perl -wT

use strict;

$SIG{'PIPE'} = 'IGNORE';
$| = 1;

my $pid = open CONSUMER, '|-';
if (!defined $pid) {
    die "cannot fork: $!";
}
if (!$pid) {
    open STDOUT, '/dev/null';
    my $msg = <STDIN>;
    exit(0);
}
print CONSUMER "hi there\n" or die "cannot write to pipe: $!";
close CONSUMER
    or die $! ? "error closing pipe: $!" : "child exit status: $?";
print "done, satisfied\n";

[download]

However, Perl 5.8.7, 5.8.8 and 5.9.3 won't allow that any longer, insisting that $ENV{PATH} should be set to something secure before executing the open.

I wonder why that is. The environment should be checked before exec and the like, but what is wrong with a simple fork eludes me. Especially since the other piping direction '-|' appears to trigger no such paranoia.

Am I overlooking something or could this be a Perl bug? I'd like to not interfere with global variables like %ENV unless I must.

Update:

The error message I am getting is: Insecure $ENV{PATH} while running with -T switch at /home/martin/example line 8.

And indeed, inserting a line $ENV{'PATH'} = '/bin'; just before the open makes Perl happy if not me.

In reply to Pipe open triggering environment taint check by martin

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.