bind() binds a keymap to a readline function or macro (so sayeth the BASH info pages anyway-- I've never used it). My guess is that the module is picking up values for $sh or $this from the environment or from system calls at some point in the process. And indeed looking at the source for Net::Printer verifies something like this is happening.

In at least one spot it is relying on assigning the return value from a backticked `hostname` command (both in the OpenSocket and printfile functions). My suggestion would be to fork the Net::Printer module for your local install (just give it a new name and put it in the directory with your script and use as you would any other of your own modules). You can then go through and either hardcode the correct results for these system calls or add taint checking (for valid hostname returned values) (or just detaint the $hostname variables without checking them-- it seems to me that anyone who can cause an insecure hostname return value has already compromised the system).

If you manage to get a taint-safe version made without hardcoding your hostname into the script, consider sending a patch to the package maintainer.

UPDATE: ariels is right, and I am officially red-faced about it. The bind in use by Net::Printer is something else entirely from what I described, but it still sounds like a thinly veiled system call to me (this socket binding stuff). As such it would be dangerous to do it with tainted inputs, and the crux of your problem remains the same, either replace the system call to hostname with hardcoded data, introduce hostname detainting into the module, or simply replace the backticked system call with "use Sys::Hostname; my $hostname = hostname();".

In reply to (ichimunki) Re x3 : disable taint for just one sub by ichimunki
in thread disable taint for just one sub by khippy

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.