Is there a scenario where CGI could mess with the application file handles (or at least die again) because of particular values in the URL?
No.
This strikes me needless code execution at best, and as a major security risk at worse. How has it been allowed to slip by without anyone noticing?
Congratulations, you're the first(?) to notice :)
Its not exactly needless (lets just say CGI is complicated), and its not really a security risk, but you could argue it is a bug in perl-5.10.0
You can see the taint error message is total nonsense (there is no require being performed). I get no error with ActivePerl-5.8.9.825 , ActivePerl-5.8.4.810.C:\>perl -e "warn 1;warn fileno shift" - 1 at -e line 1. Warning: something's wrong at -e line 1. C:\>perl -Te "warn 1;warn fileno shift" - 1 at -e line 1. Insecure dependency in require while running with -T switch at -e line + 1. BEGIN failed--compilation aborted. C:\>more - die 666 C:\>perl -e"require '-' 666 at - line 1. Compilation failed in require at -e line 1. C:\>perl -e"require shift" - 666 at - line 1. Compilation failed in require at -e line 1. C:\>perl -Te"require shift" - Insecure dependency in require while running with -T switch at -e line + 1. C:\>
A good alternative to CGI is CGI::Simple
In reply to Re: fileno, taint and CGI.pm
by Anonymous Monk
in thread fileno, taint and CGI.pm
by ruzam
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |