To expand a bit on CountZero's reply, taint mode (-T) protects you from inadvertently writing a script that allows malicious abuse to be too easy. If you have specific expectations about the file(s) that should properly be deleted by this script in response to a CGI parameter that it receives, then you need to test that the value of the "f" parameter matches those expectations as explicitly as possible before you pass that parameter value to the "unlink()" function.

For example, if you know that proper file deletion requests must involve only files in a specific directory, and even better, if you know there is a specific pattern to the file names to be deleted, then your cgi script should be set up so that the browser sends a value for the "f" parameter that includes only the file name, or only the "variable" (user specified) portion of the file name. If the parameter value from the browser contains anything else (e.g. a directory path with slashes), you ignore the request -- you only do the unlink if the parameter value meets specific conditions, and you supply the directory path (and any fixed/pre-established portions of the file name) for the unlink call.

Without those checks and controls, a hacker who is lucky or knowledgeable enough to figure out file paths/names that the web-server "user" has permission to delete would be able to delete those other files, despite you having no intention to delete them.

In reply to Re^5: unlink($ful) does not delete by graff
in thread unlink($ful) does not delete by daithimcc

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.